diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index c0549a7c0101..250765f3f1f2 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -268,6 +268,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add pattern for Cisco ASA / FTD Message 734001 {issue}16212[16212] {pull}16612[16612] - Add `o365audit` input type for consuming events from Office 365 Management Activity API. {issue}16196[16196] {pull}16244[16244] - Add custom string mapping to CEF module to support Check Point devices. {issue}16041[16041] {pull}16907[16907] +- Added new module `o365` for ingesting Office 365 management activity API events. {issue}16196[16196] {pull}16386[16386] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index f606dbb84bd3..8d1be818e9fe 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -48,6 +48,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -22088,6 +22089,664 @@ alias to: source.geo.region_iso_code -- +[[exported-fields-o365]] +== Office 365 fields + +Module for handling logs from Office 365. + + + +[float] +=== o365.audit + +Fields from Office 365 Management API audit logs. + + + +*`o365.audit.Actor`*:: ++ +-- +type: array + +-- + +*`o365.audit.ActorContextId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ActorIpAddress`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ActorUserId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ActorYammerUserId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AlertEntityId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AlertId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AlertLinks`*:: ++ +-- +type: array + +-- + +*`o365.audit.AlertType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AppId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ApplicationDisplayName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ApplicationId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AzureActiveDirectoryEventType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ExchangeMetaData.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.Category`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientAppId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientInfoString`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientIP`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientIPAddress`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Comments`*:: ++ +-- +type: text + +-- + +*`o365.audit.CorrelationId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.CreationTime`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.CustomUniqueId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Data`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.DataType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.EntityType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.EventData`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.EventSource`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ExceptionInfo.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ExtendedProperties.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ExternalAccess`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.GroupName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Id`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ImplicitShare`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.IncidentId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.InternalLogonType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.InterSystemsId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.IntraSystemId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Item.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.Item.*.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ItemName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ItemType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ListId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ListItemUniqueId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.LogonError`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.LogonType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.LogonUserSid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxGuid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxOwnerMasterAccountSid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxOwnerSid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxOwnerUPN`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Members`*:: ++ +-- +type: array + +-- + +*`o365.audit.Members.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ModifiedProperties.*.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.Name`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ObjectId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Operation`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.OrganizationId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.OrganizationName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.OriginatingServer`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Parameters.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.PolicyDetails`*:: ++ +-- +type: array + +-- + +*`o365.audit.PolicyId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.RecordType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ResultStatus`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SensitiveInfoDetectionIsIncluded`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SharePointMetaData.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.SessionId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Severity`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Site`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SiteUrl`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Source`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SourceFileExtension`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SourceFileName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SourceRelativeUrl`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Status`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SupportTicketId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Target`*:: ++ +-- +type: array + +-- + +*`o365.audit.TargetContextId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TargetUserOrGroupName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TargetUserOrGroupType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TeamName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TeamGuid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UniqueSharingId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserAgent`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserKey`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Version`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.WebId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Workload`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.YammerNetworkId`*:: ++ +-- +type: keyword + +-- + [[exported-fields-osquery]] == Osquery fields diff --git a/filebeat/docs/filebeat-options.asciidoc b/filebeat/docs/filebeat-options.asciidoc index 3cfeab3962a9..efeb936cd205 100644 --- a/filebeat/docs/filebeat-options.asciidoc +++ b/filebeat/docs/filebeat-options.asciidoc @@ -57,6 +57,7 @@ You can configure {beatname_uc} to use the following inputs: * <<{beatname_lc}-input-google-pubsub>> * <<{beatname_lc}-input-azure-eventhub>> * <<{beatname_lc}-input-cloudfoundry>> +* <<{beatname_lc}-input-o365audit>> include::multiline.asciidoc[] @@ -90,3 +91,5 @@ include::../../x-pack/filebeat/docs/inputs/input-google-pubsub.asciidoc[] include::../../x-pack/filebeat/docs/inputs/input-azure-eventhub.asciidoc[] include::../../x-pack/filebeat/docs/inputs/input-cloudfoundry.asciidoc[] + +include::../../x-pack/filebeat/docs/inputs/input-o365audit.asciidoc[] diff --git a/filebeat/docs/images/filebeat-o365-audit.png b/filebeat/docs/images/filebeat-o365-audit.png new file mode 100644 index 000000000000..a2413e7b909b Binary files /dev/null and b/filebeat/docs/images/filebeat-o365-audit.png differ diff --git a/filebeat/docs/images/filebeat-o365-azure-permissions.png b/filebeat/docs/images/filebeat-o365-azure-permissions.png new file mode 100644 index 000000000000..19a98e687ad0 Binary files /dev/null and b/filebeat/docs/images/filebeat-o365-azure-permissions.png differ diff --git a/filebeat/docs/modules/o365.asciidoc b/filebeat/docs/modules/o365.asciidoc new file mode 100644 index 000000000000..05a4f1a7b602 --- /dev/null +++ b/filebeat/docs/modules/o365.asciidoc @@ -0,0 +1,226 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-o365]] +[role="xpack"] + +:modulename: o365 +:has-dashboards: true + +== Office 365 module + +This is a module for Office 365 logs received via one of the Office 365 API +endpoints. It currently supports user, admin, system, and policy actions and +events from Office 365 and Azure AD activity logs exposed by the Office 365 +Management Activity API. + +The {plugins}/ingest-geoip.html[ingest-geoip] and +{plugins}/ingest-user-agent.html[ingest-user_agent] Elasticsearch plugins are +required to run this module. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: audit + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `audit` fileset settings + +The `audit` fileset uses the Office 365 Management Activity API to retrieve +audit messages from Office 365 and Azure AD activity logs. These are the same +logs that are available under _Audit_ _Log_ _Search_ in the _Security_ _and_ +_Compliance_ _Center._ + +[float] +===== Setup + +To use this fileset you need to https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide#turn-on-audit-log-search[enable Audit Log Search] + and https://docs.microsoft.com/en-us/office/office-365-management-api/get-started-with-office-365-management-apis#register-your-application-in-azure-ad[register an application in Azure AD.] + +Once this application is registered note the _Application (client) ID_ and the +_Directory (tenant) ID._ Then configure the authentication in the _Certificates & Secrets_ +section. + + +Example configuration `o365.yml` using client-secret authentication: + +[source,yaml] +---- + audit: + enabled: true + var.application_id: "" + var.tenants: + - id: "" + name: "mytenant.onmicrosoft.com" + var.client_secret: "" +---- + +Certificate-based authentication is specially useful when monitoring multiple +tenants. Example configuration: + +[source,yaml] +---- + audit: + enabled: true + var.application_id: "" + var.tenants: + - id: "" + name: "tenantA.onmicrosoft.com" + - id: "" + name: "tenantB.onmicrosoft.com" + var.certificate: "/path/to/certificate.pem" + var.key: "/path/to/private_key.pem" + var.key_passphrase: "my_passphrase" # (optional) for encrypted keys +---- + +Finally you need to add permissions in the _API permissions_ section and grant +it admin consent. Click on _Add permission_ and select +_Office 365 Management APIs._ The needed permissions are: + +- User.Read +- ActivityFeed.Read +- ActivityFeed.ReadDlp +- ServiceHealth.Read + +[role="screenshot"] +image::./images/filebeat-o365-azure-permissions.png[] + +Once the required permissions are added, click the _Grant admin consent_ button. +Note that it can take a while for the required permissions to be in effect, so +it's possible that you observe some permission errors when running {beatname_uc} +right away. + +[float] +===== Alternative endpoints + +This module supports custom endpoints for on-prem deployments as well as +alternative endpoints (GCC High endponts, U.S. DoD, European Union, etc). In +order to point the module to an alternative endpoint, you need to adjust the +`authentication_endpoint` and `resource` variables accordingly. For example: + +[source,yaml] +---- + var.api: + # default is https://login.microsoftonline.com/ + authentication_endpoint: https://login.microsoftonline.us/ + # default is https://manage.office.com + resource: https://manage.office365.us +---- + +[float] +===== Configuration options + +*`var.application_id`*:: + +The Application ID (also known as client ID) of the Azure application. + +*`var.tenants`*:: + +A list of one or more tenant IDs and name pairs. Set the `id` field to the +tenant ID (also known as Directory ID). Set the name to the host name for the +tenant, that is, the Office 365 domain for your organization. + +*`var.client_secret`*:: + +The client-secret (api_key) used to authenticate your Azure AD application. This +option cannot be specified at the same time as the `var.certificate` option. + +*`var.certificate`*:: + +Path to the certificate file used for client authentication. This option cannot +be specified at the same time as the `var.client_secret` option. + +*`var.key`*:: + +Path to the private key file used for client authentication. + +*`var.key_passphrase`*:: + +The passphrase used to decrypt an encrypted key stored in the configured +`var.key` file. Only set this option when the key is encrypted. + +*`var.content_type`*:: + +The list of content-types to subscribe to. By default, it subscribes to all +known content-types: +- Audit.AzureActiveDirectory +- Audit.Exchange +- Audit.SharePoint +- Audit.General +- DLP.All + + +[float] +===== Advanced configuration options + +The following configuration options are only recomended in case of problems. +They must be nested under a single `var.api` key, like this: + +[source,yaml] +---- + var.api: + authentication_endpoint: https://login.microsoftonline.com/ + resource: https://manage.office.com + max_retention: 168h + poll_interval: 3m + max_requests_per_minute: 2000 + max_query_size: 24h +---- + +*`var.api.authentication_endpoint`*:: + +The authentication endpoint used to authorize the Azure app. This is +`https://login.microsoftonline.com/` by default, and can be changed to access +alternative endpoints. + +*`var.api.resource`*:: + +The API resource to retrieve information from. This is +`https://manage.office.com` by default, and can be changed to access alternative +endpoints. + +*`var.api.max_retention`*:: + +The maximum data retention period to support. `168h` by default. {beatname_uc} +will fetch all retained data for a tenant when run for the first time. The +default is 7 days. Adjust it if your tenant has a different retention period. + +*`var.api.poll_interval`*:: + +The interval to wait before polling the API server for new events. Default `3m`. + +*`var.api.max_requests_per_minute`*:: + +The maximum number of requests to perform per minute, for each tenant. The +default is `2000`, as this is the server-side limit per tenant. + +*`var.api.max_query_size`*:: + +The maximum time window that API allows in a single query. Defaults to `24h` +to match Microsoft's documented limit. + +[float] +=== Example dashboard + +This module comes with a sample dashboard: + +[role="screenshot"] +image::./images/filebeat-o365-audit.png[] + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index f97dff34a0d8..bd37f4864c90 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -29,6 +29,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -70,6 +71,7 @@ include::modules/mysql.asciidoc[] include::modules/nats.asciidoc[] include::modules/netflow.asciidoc[] include::modules/nginx.asciidoc[] +include::modules/o365.asciidoc[] include::modules/osquery.asciidoc[] include::modules/panw.asciidoc[] include::modules/postgresql.asciidoc[] diff --git a/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc b/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc index aa1e5370b289..cca6ed138a40 100644 --- a/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc @@ -23,8 +23,7 @@ This input doesn't perform any transformation on the incoming messages, notably no {ecs-ref}/ecs-reference.html[Elastic Common Schema fields] are populated, and some data is encoded as arrays of objects, which are difficult to query in Elasticsearch. You probably want to use the -{filebeat-ref}/filebeat-module-o365.html[o365 module] instead. -// TODO: link to O365 module docs. +{filebeat-ref}/filebeat-module-o365.html[Office 365 module] instead. Example configuration: @@ -116,7 +115,7 @@ endpoints. ===== `api.max_retention` -The maximum data retention period to support. `178h` by default. {beatname_uc} +The maximum data retention period to support. `168h` by default. {beatname_uc} will fetch all retained data for a tenant when run for the first time. ===== `api.poll_interval` @@ -132,3 +131,8 @@ default is `2000`, as this is the server-side limit per tenant. The maximum time window that API allows in a single query. Defaults to `24h` to match Microsoft's documented limit. + +[id="{beatname_lc}-input-{type}-common-options"] +include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[] + +:type!: diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 50188721eab0..14e217e527ed 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -695,6 +695,53 @@ filebeat.modules: # # Filebeat will choose the paths depending on your OS. # #var.paths: +#------------------------------ Office 365 Module ------------------------------ +- module: o365 + audit: + enabled: true + + # Set the application_id (also known as client ID): + var.application_id: "" + + # Configure the tenants to monitor: + # Use the tenant ID (also known as directory ID) and the domain name. + # var.tenants: + # - id: "tenant_id_1" + # name: "mydomain.onmicrosoft.com" + # - id: "tenant_id_2" + # name: "mycompany.com" + var.tenants: + - id: "" + name: "mytenant.onmicrosoft.com" + + # List of content-types to fetch. By default all known content-types + # are retrieved: + # var.content_type: + # - "Audit.AzureActiveDirectory" + # - "Audit.Exchange" + # - "Audit.SharePoint" + # - "Audit.General" + # - "DLP.All" + + # Use the following settings to enable certificate-based authentication: + # var.certificate: "/path/to/certificate.pem" + # var.key: "/path/to/private_key.pem" + # var.key_passphrase: "myPrivateKeyPassword" + + # Client-secret based authentication: + # Comment the following line if using certificate authentication. + var.client_secret: "" + + # Advanced settings, use with care: + # var.api: + # # Settings for custom endpoints: + # authentication_endpoint: "https://login.microsoftonline.us/" + # resource: "https://manage.office365.us" + # + # max_retention: 7d + # max_requests_per_minute: 2000 + # poll_interval: 3m + #------------------------------- Osquery Module ------------------------------- - module: osquery result: diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 7970538c0c47..4054ebb3921f 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -28,6 +28,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/misp" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/mssql" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/netflow" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/o365" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/panw" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/rabbitmq" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/suricata" diff --git a/x-pack/filebeat/input/o365audit/config.go b/x-pack/filebeat/input/o365audit/config.go index f30e368a9e26..cb703e61bd19 100644 --- a/x-pack/filebeat/input/o365audit/config.go +++ b/x-pack/filebeat/input/o365audit/config.go @@ -6,6 +6,7 @@ package o365audit import ( "fmt" + "net/url" "time" "github.com/pkg/errors" @@ -146,6 +147,14 @@ func (c *Config) Validate() (err error) { return errors.Wrap(err, "invalid certificate config") } } + c.API.Resource, err = forceURLScheme(c.API.Resource, "https") + if err != nil { + return errors.Wrapf(err, "resource '%s' is not a valid URL", c.API.Resource) + } + c.API.AuthenticationEndpoint, err = forceURLScheme(c.API.AuthenticationEndpoint, "https") + if err != nil { + return errors.Wrapf(err, "authentication_endpoint '%s' is not a valid URL", c.API.AuthenticationEndpoint) + } return nil } @@ -193,3 +202,20 @@ func (c *Config) NewTokenProvider(tenantID string) (auth.TokenProvider, error) { c.CertificateConfig, ) } + +// Ensures that the passed URL has a scheme, using the provided one if needed. +// Returns an error is the URL can't be parsed. +func forceURLScheme(baseURL, scheme string) (urlWithScheme string, err error) { + parsed, err := url.Parse(baseURL) + if err != nil { + return "", err + } + // Scheme is mandatory + if parsed.Scheme == "" { + withResource := "https://" + baseURL + if parsed, err = url.Parse(withResource); err != nil { + return "", err + } + } + return parsed.String(), nil +} diff --git a/x-pack/filebeat/module/o365/_meta/config.yml b/x-pack/filebeat/module/o365/_meta/config.yml new file mode 100644 index 000000000000..8114b404aa46 --- /dev/null +++ b/x-pack/filebeat/module/o365/_meta/config.yml @@ -0,0 +1,45 @@ +- module: o365 + audit: + enabled: true + + # Set the application_id (also known as client ID): + var.application_id: "" + + # Configure the tenants to monitor: + # Use the tenant ID (also known as directory ID) and the domain name. + # var.tenants: + # - id: "tenant_id_1" + # name: "mydomain.onmicrosoft.com" + # - id: "tenant_id_2" + # name: "mycompany.com" + var.tenants: + - id: "" + name: "mytenant.onmicrosoft.com" + + # List of content-types to fetch. By default all known content-types + # are retrieved: + # var.content_type: + # - "Audit.AzureActiveDirectory" + # - "Audit.Exchange" + # - "Audit.SharePoint" + # - "Audit.General" + # - "DLP.All" + + # Use the following settings to enable certificate-based authentication: + # var.certificate: "/path/to/certificate.pem" + # var.key: "/path/to/private_key.pem" + # var.key_passphrase: "myPrivateKeyPassword" + + # Client-secret based authentication: + # Comment the following line if using certificate authentication. + var.client_secret: "" + + # Advanced settings, use with care: + # var.api: + # # Settings for custom endpoints: + # authentication_endpoint: "https://login.microsoftonline.us/" + # resource: "https://manage.office365.us" + # + # max_retention: 7d + # max_requests_per_minute: 2000 + # poll_interval: 3m diff --git a/x-pack/filebeat/module/o365/_meta/docs.asciidoc b/x-pack/filebeat/module/o365/_meta/docs.asciidoc new file mode 100644 index 000000000000..d2cf47304411 --- /dev/null +++ b/x-pack/filebeat/module/o365/_meta/docs.asciidoc @@ -0,0 +1,213 @@ +[role="xpack"] + +:modulename: o365 +:has-dashboards: true + +== Office 365 module + +This is a module for Office 365 logs received via one of the Office 365 API +endpoints. It currently supports user, admin, system, and policy actions and +events from Office 365 and Azure AD activity logs exposed by the Office 365 +Management Activity API. + +The {plugins}/ingest-geoip.html[ingest-geoip] and +{plugins}/ingest-user-agent.html[ingest-user_agent] Elasticsearch plugins are +required to run this module. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: audit + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `audit` fileset settings + +The `audit` fileset uses the Office 365 Management Activity API to retrieve +audit messages from Office 365 and Azure AD activity logs. These are the same +logs that are available under _Audit_ _Log_ _Search_ in the _Security_ _and_ +_Compliance_ _Center._ + +[float] +===== Setup + +To use this fileset you need to https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide#turn-on-audit-log-search[enable Audit Log Search] + and https://docs.microsoft.com/en-us/office/office-365-management-api/get-started-with-office-365-management-apis#register-your-application-in-azure-ad[register an application in Azure AD.] + +Once this application is registered note the _Application (client) ID_ and the +_Directory (tenant) ID._ Then configure the authentication in the _Certificates & Secrets_ +section. + + +Example configuration `o365.yml` using client-secret authentication: + +[source,yaml] +---- + audit: + enabled: true + var.application_id: "" + var.tenants: + - id: "" + name: "mytenant.onmicrosoft.com" + var.client_secret: "" +---- + +Certificate-based authentication is specially useful when monitoring multiple +tenants. Example configuration: + +[source,yaml] +---- + audit: + enabled: true + var.application_id: "" + var.tenants: + - id: "" + name: "tenantA.onmicrosoft.com" + - id: "" + name: "tenantB.onmicrosoft.com" + var.certificate: "/path/to/certificate.pem" + var.key: "/path/to/private_key.pem" + var.key_passphrase: "my_passphrase" # (optional) for encrypted keys +---- + +Finally you need to add permissions in the _API permissions_ section and grant +it admin consent. Click on _Add permission_ and select +_Office 365 Management APIs._ The needed permissions are: + +- User.Read +- ActivityFeed.Read +- ActivityFeed.ReadDlp +- ServiceHealth.Read + +[role="screenshot"] +image::./images/filebeat-o365-azure-permissions.png[] + +Once the required permissions are added, click the _Grant admin consent_ button. +Note that it can take a while for the required permissions to be in effect, so +it's possible that you observe some permission errors when running {beatname_uc} +right away. + +[float] +===== Alternative endpoints + +This module supports custom endpoints for on-prem deployments as well as +alternative endpoints (GCC High endponts, U.S. DoD, European Union, etc). In +order to point the module to an alternative endpoint, you need to adjust the +`authentication_endpoint` and `resource` variables accordingly. For example: + +[source,yaml] +---- + var.api: + # default is https://login.microsoftonline.com/ + authentication_endpoint: https://login.microsoftonline.us/ + # default is https://manage.office.com + resource: https://manage.office365.us +---- + +[float] +===== Configuration options + +*`var.application_id`*:: + +The Application ID (also known as client ID) of the Azure application. + +*`var.tenants`*:: + +A list of one or more tenant IDs and name pairs. Set the `id` field to the +tenant ID (also known as Directory ID). Set the name to the host name for the +tenant, that is, the Office 365 domain for your organization. + +*`var.client_secret`*:: + +The client-secret (api_key) used to authenticate your Azure AD application. This +option cannot be specified at the same time as the `var.certificate` option. + +*`var.certificate`*:: + +Path to the certificate file used for client authentication. This option cannot +be specified at the same time as the `var.client_secret` option. + +*`var.key`*:: + +Path to the private key file used for client authentication. + +*`var.key_passphrase`*:: + +The passphrase used to decrypt an encrypted key stored in the configured +`var.key` file. Only set this option when the key is encrypted. + +*`var.content_type`*:: + +The list of content-types to subscribe to. By default, it subscribes to all +known content-types: +- Audit.AzureActiveDirectory +- Audit.Exchange +- Audit.SharePoint +- Audit.General +- DLP.All + + +[float] +===== Advanced configuration options + +The following configuration options are only recomended in case of problems. +They must be nested under a single `var.api` key, like this: + +[source,yaml] +---- + var.api: + authentication_endpoint: https://login.microsoftonline.com/ + resource: https://manage.office.com + max_retention: 168h + poll_interval: 3m + max_requests_per_minute: 2000 + max_query_size: 24h +---- + +*`var.api.authentication_endpoint`*:: + +The authentication endpoint used to authorize the Azure app. This is +`https://login.microsoftonline.com/` by default, and can be changed to access +alternative endpoints. + +*`var.api.resource`*:: + +The API resource to retrieve information from. This is +`https://manage.office.com` by default, and can be changed to access alternative +endpoints. + +*`var.api.max_retention`*:: + +The maximum data retention period to support. `168h` by default. {beatname_uc} +will fetch all retained data for a tenant when run for the first time. The +default is 7 days. Adjust it if your tenant has a different retention period. + +*`var.api.poll_interval`*:: + +The interval to wait before polling the API server for new events. Default `3m`. + +*`var.api.max_requests_per_minute`*:: + +The maximum number of requests to perform per minute, for each tenant. The +default is `2000`, as this is the server-side limit per tenant. + +*`var.api.max_query_size`*:: + +The maximum time window that API allows in a single query. Defaults to `24h` +to match Microsoft's documented limit. + +[float] +=== Example dashboard + +This module comes with a sample dashboard: + +[role="screenshot"] +image::./images/filebeat-o365-audit.png[] + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: diff --git a/x-pack/filebeat/module/o365/_meta/fields.yml b/x-pack/filebeat/module/o365/_meta/fields.yml new file mode 100644 index 000000000000..c97ac4808247 --- /dev/null +++ b/x-pack/filebeat/module/o365/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: o365 + title: Office 365 + description: > + Module for handling logs from Office 365. + fields: diff --git a/x-pack/filebeat/module/o365/_meta/kibana/7/dashboard/Filebeat-O365-Audit.json b/x-pack/filebeat/module/o365/_meta/kibana/7/dashboard/Filebeat-O365-Audit.json new file mode 100644 index 000000000000..16c63c4dbce4 --- /dev/null +++ b/x-pack/filebeat/module/o365/_meta/kibana/7/dashboard/Filebeat-O365-Audit.json @@ -0,0 +1,1051 @@ +{ + "objects": [ + { + "attributes": { + "description": "Sample dashboard for Office 365 Management Activity events", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "title": "Total audit events" + }, + "gridData": { + "h": 6, + "i": "b6942e2a-81dc-40e4-a932-8b7a864b28bc", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "b6942e2a-81dc-40e4-a932-8b7a864b28bc", + "panelRefName": "panel_0", + "title": "Total audit events", + "version": "7.6.0" + }, + { + "embeddableConfig": { + "title": "Event histogram by service" + }, + "gridData": { + "h": 14, + "i": "9673e6df-4b1e-4771-b1c6-c41c9bfc7272", + "w": 38, + "x": 10, + "y": 0 + }, + "panelIndex": "9673e6df-4b1e-4771-b1c6-c41c9bfc7272", + "panelRefName": "panel_1", + "title": "Event histogram by service", + "version": "7.6.0" + }, + { + "embeddableConfig": { + "colors": { + "alert": "#EF843C", + "event": "#7EB26D" + }, + "legendOpen": true, + "title": "Events by type", + "vis": { + "colors": { + "alert": "#E24D42", + "event": "#7EB26D" + }, + "legendOpen": true + } + }, + "gridData": { + "h": 8, + "i": "70ab7239-c65c-41da-8242-da61750745d7", + "w": 10, + "x": 0, + "y": 6 + }, + "panelIndex": "70ab7239-c65c-41da-8242-da61750745d7", + "panelRefName": "panel_2", + "title": "Events by type", + "version": "7.6.0" + }, + { + "embeddableConfig": { + "colors": { + "failure": "#E24D42", + "success": "#629E51" + }, + "legendOpen": false, + "title": "Top users by authentication failures", + "vis": { + "colors": { + "failure": "#E24D42", + "success": "#629E51" + }, + "legendOpen": true + } + }, + "gridData": { + "h": 17, + "i": "775ced7d-7c58-44bc-8d4e-2a757d2c218c", + "w": 10, + "x": 0, + "y": 14 + }, + "panelIndex": "775ced7d-7c58-44bc-8d4e-2a757d2c218c", + "panelRefName": "panel_3", + "title": "Top users by authentication failures", + "version": "7.6.0" + }, + { + "embeddableConfig": { + "hiddenLayers": [], + "isLayerTOCOpen": false, + "mapCenter": { + "lat": 42.68781, + "lon": -48.94209, + "zoom": 1.88 + }, + "openTOCDetails": [], + "title": "Client geolocation map" + }, + "gridData": { + "h": 17, + "i": "15fe975b-6b8b-4445-872d-e06c041e2c31", + "w": 38, + "x": 10, + "y": 14 + }, + "panelIndex": "15fe975b-6b8b-4445-872d-e06c041e2c31", + "panelRefName": "panel_4", + "title": "Client geolocation map", + "version": "7.6.0" + }, + { + "embeddableConfig": { + "title": "Data Loss Prevention alerts" + }, + "gridData": { + "h": 13, + "i": "481f1778-caad-4971-b598-bb61c94bf998", + "w": 48, + "x": 0, + "y": 31 + }, + "panelIndex": "481f1778-caad-4971-b598-bb61c94bf998", + "panelRefName": "panel_5", + "title": "Data Loss Prevention alerts", + "version": "7.6.0" + } + ], + "timeRestore": false, + "title": "[Filebeat o365] Audit Dashboard ECS", + "version": 1 + }, + "id": "712e2c00-685d-11ea-8d6a-292ef5d68366", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "0be1adb0-6860-11ea-8d6a-292ef5d68366", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "8b033510-685a-11ea-8d6a-292ef5d68366", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "d43c95a0-6864-11ea-8d6a-292ef5d68366", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "897d0c70-6869-11ea-8d6a-292ef5d68366", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "dbae13c0-685c-11ea-8d6a-292ef5d68366", + "name": "panel_4", + "type": "map" + }, + { + "id": "8b8e5a10-6886-11ea-8d6a-292ef5d68366", + "name": "panel_5", + "type": "search" + } + ], + "type": "dashboard", + "updated_at": "2020-03-17T19:40:51.528Z", + "version": "WzY3MywyXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": {} + }, + "savedSearchRefName": "search_0", + "title": "Audit Event Count [Filebeat o365]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "dimensions": { + "metrics": [ + { + "accessor": 0, + "format": { + "id": "number", + "params": {} + }, + "type": "vis_dimension" + } + ] + }, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000, + "type": "range" + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 40, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Audit Event Count [Filebeat o365]", + "type": "metric" + } + }, + "id": "0be1adb0-6860-11ea-8d6a-292ef5d68366", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "fdc14020-6859-11ea-8d6a-292ef5d68366", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-03-17T15:42:14.802Z", + "version": "WzU5OCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": {} + }, + "savedSearchRefName": "search_0", + "title": "Events Histogram [Filebeat o365]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "event.code", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 50 + }, + "schema": "group", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "2020-02-05T03:25:59.045Z", + "to": "2020-02-29T10:59:01.067Z" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "dimensions": { + "series": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "", + "origin": "http://localhost:5601", + "pathname": "/app/kibana" + } + } + }, + "label": "event.code: Descending", + "params": {} + } + ], + "x": { + "accessor": 1, + "aggType": "date_histogram", + "format": { + "id": "date", + "params": { + "pattern": "YYYY-MM-DD HH:mm" + } + }, + "label": "@timestamp per 12 hours", + "params": { + "bounds": { + "max": "2020-02-29T10:59:01.067Z", + "min": "2020-02-05T03:25:59.045Z" + }, + "date": true, + "format": "YYYY-MM-DD HH:mm", + "interval": "PT12H", + "intervalESUnit": "h", + "intervalESValue": 12 + } + }, + "y": [ + { + "accessor": 2, + "aggType": "count", + "format": { + "id": "number" + }, + "label": "Count", + "params": {} + } + ] + }, + "grid": { + "categoryLines": false + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Events Histogram [Filebeat o365]", + "type": "histogram" + } + }, + "id": "8b033510-685a-11ea-8d6a-292ef5d68366", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "fdc14020-6859-11ea-8d6a-292ef5d68366", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-03-17T14:21:07.680Z", + "version": "WzU3MSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": {} + }, + "savedSearchRefName": "search_0", + "title": "Audit Event Type [Filebeat o365]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "event.kind", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "metric": { + "accessor": 0, + "aggType": "count", + "format": { + "id": "number" + }, + "label": "Count", + "params": {} + } + }, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Audit Event Type [Filebeat o365]", + "type": "pie" + } + }, + "id": "d43c95a0-6864-11ea-8d6a-292ef5d68366", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "fdc14020-6859-11ea-8d6a-292ef5d68366", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-03-17T15:34:45.498Z", + "version": "WzU5NiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.category", + "negate": false, + "params": { + "query": "authentication" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "authentication" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Top Authentication Failures [Filebeat o365]", + "uiStateJSON": { + "vis": { + "colors": { + "failure": "#E24D42", + "success": "#629E51" + }, + "legendOpen": true + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "event.outcome", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "asc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 2 + }, + "schema": "group", + "type": "terms" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "row": true, + "size": 15 + }, + "schema": "split", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 200 + }, + "position": "left", + "scale": { + "type": "linear" + }, + "show": false, + "style": {}, + "title": {}, + "type": "category" + } + ], + "dimensions": { + "series": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "", + "origin": "http://localhost:5601", + "pathname": "/app/kibana" + } + } + }, + "label": "event.outcome: Ascending", + "params": {} + } + ], + "splitRow": [ + { + "accessor": 1, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "", + "origin": "http://localhost:5601", + "pathname": "/app/kibana" + } + } + }, + "label": "user.name: Descending", + "params": {} + } + ], + "x": null, + "y": [ + { + "accessor": 2, + "aggType": "count", + "format": { + "id": "number" + }, + "label": "Count", + "params": {} + } + ] + }, + "grid": { + "categoryLines": false, + "valueAxis": "" + }, + "labels": { + "show": true + }, + "legendPosition": "bottom", + "orderBucketsBySum": true, + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": true, + "rotate": 75, + "show": false, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "bottom", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": false, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Top Authentication Failures [Filebeat o365]", + "type": "horizontal_bar" + } + }, + "id": "897d0c70-6869-11ea-8d6a-292ef5d68366", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "fdc14020-6859-11ea-8d6a-292ef5d68366", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-03-17T17:33:41.990Z", + "version": "WzYwOCwxXQ==" + }, + { + "attributes": { + "bounds": { + "coordinates": [ + [ + [ + -52.43037, + 65.94892 + ], + [ + -52.43037, + -22.98633 + ], + [ + 85.77811, + -22.98633 + ], + [ + 85.77811, + 65.94892 + ], + [ + -52.43037, + 65.94892 + ] + ] + ], + "type": "Polygon" + }, + "description": "", + "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"0b910b6c-77c8-4223-892a-1ebf69b0ccb4\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"type\":\"ES_GEO_GRID\",\"id\":\"3ba31ffc-7051-44bf-96a0-a684020cd2a3\",\"geoField\":\"source.geo.location\",\"requestType\":\"point\",\"resolution\":\"FINE\",\"applyGlobalQuery\":true,\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"type\":\"ORDINAL\",\"useCustomColorRamp\":false}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":0}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"minSize\":8,\"maxSize\":32,\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3}}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"}}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbol\":{\"options\":{\"symbolizeAs\":\"circle\",\"symbolId\":\"airfield\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"acc53b7b-3411-406b-9371-6fa62b6b9365\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\"}]", + "mapStateJSON": "{\"zoom\":2.88,\"center\":{\"lon\":16.67387,\"lat\":30.87292},\"timeFilters\":{\"from\":\"2020-02-05T03:25:59.045Z\",\"to\":\"2020-02-29T10:59:01.067Z\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"event.dataset:\\\"o365.audit\\\" \",\"language\":\"kuery\"},\"filters\":[]}", + "title": "Client Geo Map [Filebeat o365 audit]", + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [] + } + }, + "id": "dbae13c0-685c-11ea-8d6a-292ef5d68366", + "migrationVersion": { + "map": "7.6.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "map", + "updated_at": "2020-03-17T14:45:09.571Z", + "version": "WzU4NCwxXQ==" + }, + { + "attributes": { + "columns": [ + "event.category", + "event.type", + "event.action", + "event.outcome", + "user.name", + "file.name", + "rule.name" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "o365.audit" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "o365.audit" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.kind", + "negate": false, + "params": { + "query": "alert" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "alert" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "ComplianceDLPSharePoint", + "ComplianceDLPExchange" + ], + "type": "phrases", + "value": "ComplianceDLPSharePoint, ComplianceDLPExchange" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "ComplianceDLPSharePoint" + } + }, + { + "match_phrase": { + "event.code": "ComplianceDLPExchange" + } + } + ] + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Data Loss Prevention [Filebeat o365]", + "version": 1 + }, + "id": "8b8e5a10-6886-11ea-8d6a-292ef5d68366", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-03-17T19:36:06.449Z", + "version": "WzY3MCwyXQ==" + }, + { + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset:\"o365.audit\" " + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Audit Events [Filebeat O365]", + "version": 1 + }, + "id": "fdc14020-6859-11ea-8d6a-292ef5d68366", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-03-17T14:17:10.688Z", + "version": "WzU2OSwxXQ==" + } + ], + "version": "7.6.0" +} diff --git a/x-pack/filebeat/module/o365/audit/_meta/fields.yml b/x-pack/filebeat/module/o365/audit/_meta/fields.yml new file mode 100644 index 000000000000..7d3311fb20cd --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/_meta/fields.yml @@ -0,0 +1,294 @@ + - name: o365.audit + type: group + default_field: false + description: > + Fields from Office 365 Management API audit logs. + fields: + - name: Actor + type: array + fields: + - name: ID + type: keyword + + - name: Type + type: keyword + + - name: ActorContextId + type: keyword + + - name: ActorIpAddress + type: keyword + + - name: ActorUserId + type: keyword + + - name: ActorYammerUserId + type: keyword + + - name: AlertEntityId + type: keyword + + - name: AlertId + type: keyword + + - name: AlertLinks + type: array + + - name: AlertType + type: keyword + + - name: AppId + type: keyword + + - name: ApplicationDisplayName + type: keyword + + - name: ApplicationId + type: keyword + + - name: AzureActiveDirectoryEventType + type: keyword + + - name: ExchangeMetaData.* + type: object + + - name: Category + type: keyword + + - name: ClientAppId + type: keyword + + - name: ClientInfoString + type: keyword + + - name: ClientIP + type: keyword + + - name: ClientIPAddress + type: keyword + + - name: Comments + type: text + norms: false + + - name: CorrelationId + type: keyword + + - name: CreationTime + type: keyword + + - name: CustomUniqueId + type: keyword + + - name: Data + type: keyword + + - name: DataType + type: keyword + + - name: EntityType + type: keyword + + - name: EventData + type: keyword + + - name: EventSource + type: keyword + + - name: ExceptionInfo.* + type: object + + - name: ExtendedProperties.* + type: object + + - name: ExternalAccess + type: keyword + + - name: GroupName + type: keyword + + - name: Id + type: keyword + + - name: ImplicitShare + type: keyword + + - name: IncidentId + type: keyword + + - name: InternalLogonType + type: keyword + + - name: InterSystemsId + type: keyword + + - name: IntraSystemId + type: keyword + + - name: Item.* + type: object + + - name: Item.*.* + type: object + + - name: ItemName + type: keyword + + - name: ItemType + type: keyword + + - name: ListId + type: keyword + + - name: ListItemUniqueId + type: keyword + + - name: LogonError + type: keyword + + - name: LogonType + type: keyword + + - name: LogonUserSid + type: keyword + + - name: MailboxGuid + type: keyword + + - name: MailboxOwnerMasterAccountSid + type: keyword + + - name: MailboxOwnerSid + type: keyword + + - name: MailboxOwnerUPN + type: keyword + + - name: Members + type: array + + - name: Members.* + type: object + + - name: ModifiedProperties.*.* + type: object + + - name: Name + type: keyword + + - name: ObjectId + type: keyword + + - name: Operation + type: keyword + + - name: OrganizationId + type: keyword + + - name: OrganizationName + type: keyword + + - name: OriginatingServer + type: keyword + + - name: Parameters.* + type: object + + - name: PolicyDetails + type: array + + - name: PolicyId + type: keyword + + - name: RecordType + type: keyword + + - name: ResultStatus + type: keyword + + - name: SensitiveInfoDetectionIsIncluded + type: keyword + + - name: SharePointMetaData.* + type: object + + - name: SessionId + type: keyword + + - name: Severity + type: keyword + + - name: Site + type: keyword + + - name: SiteUrl + type: keyword + + - name: Source + type: keyword + + - name: SourceFileExtension + type: keyword + + - name: SourceFileName + type: keyword + + - name: SourceRelativeUrl + type: keyword + + - name: Status + type: keyword + + - name: SupportTicketId + type: keyword + + - name: Target + type: array + fields: + - name: ID + type: keyword + + - name: Type + type: keyword + + - name: TargetContextId + type: keyword + + - name: TargetUserOrGroupName + type: keyword + + - name: TargetUserOrGroupType + type: keyword + + - name: TeamName + type: keyword + + - name: TeamGuid + type: keyword + + - name: UniqueSharingId + type: keyword + + - name: UserAgent + type: keyword + + - name: UserId + type: keyword + + - name: UserKey + type: keyword + + - name: UserType + type: keyword + + - name: Version + type: keyword + + - name: WebId + type: keyword + + - name: Workload + type: keyword + + - name: YammerNetworkId + type: keyword diff --git a/x-pack/filebeat/module/o365/audit/config/input.yml b/x-pack/filebeat/module/o365/audit/config/input.yml new file mode 100644 index 000000000000..93fe560ddc50 --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/config/input.yml @@ -0,0 +1,62 @@ +{{ if eq .input "o365audit" }} + +type: o365audit +{{ if .application_id }}application_id: {{ .application_id }}{{ end }} +tenant_id: +{{ range .tenants }} + - {{ .id }} +{{ end }} +{{ if .certificate }}certificate: {{ .certificate }}{{ end }} +{{ if .key }}key: {{ .key }}{{ end }} +{{ if .key_passphrase }}key_passphrase: {{ .key_passphrase }}{{ end }} +{{ if .client_secret }}client_secret: {{ .client_secret }}{{ end }} +{{ if eq "string" (printf "%T" .content_type) }} +content_type: {{ .content_type }} +{{ else }} +content_type: +{{ range .content_type }} + - {{ . }} +{{ end }} +{{ end }} +{{ if .api }} +api: +{{ range $k, $v := .api }} + - {{ $k }}: {{ $v -}} +{{ end }} +{{ end }} + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range .paths }} + - {{ . }} +{{ end }} +exclude_files: [".gz$"] +json.add_error_key: true + +{{ end }} + +processors: +{{ if eq .input "file" }} + - rename: + fields: + - from: json + to: o365audit + - timestamp: + field: o365audit.CreationTime + layouts: + - 2006-01-02T15:04:05 +{{ end }} + - script: + lang: javascript + id: o365audit_script + file: ${path.home}/module/o365/audit/config/pipeline.js + params: + debug: false + tenants: + {{ range .tenants }} + - id: "{{ .id }}" + name: "{{ .name }}" + {{ end }} + diff --git a/x-pack/filebeat/module/o365/audit/config/pipeline.js b/x-pack/filebeat/module/o365/audit/config/pipeline.js new file mode 100644 index 000000000000..679330a494b0 --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/config/pipeline.js @@ -0,0 +1,852 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var processor = require("processor"); +var console = require("console"); + +// PipelineBuilder to aid debugging of pipelines during development. +function PipelineBuilder(pipelineName, debug) { + this.pipeline = new processor.Chain(); + this.add = function (processor) { + this.pipeline = this.pipeline.Add(processor); + }; + this.Add = function (name, processor) { + this.add(processor); + if (debug) { + this.add(makeLogEvent("after " + pipelineName + "/" + name)); + } + }; + this.Build = function () { + if (debug) { + this.add(makeLogEvent(pipelineName + "processing done")); + } + return this.pipeline.Build(); + }; + if (debug) { + this.add(makeLogEvent(pipelineName + ": begin processing event")); + } +} + +function appendFields(options) { + return function(evt) { + options.fields.forEach(function (key) { + var value = evt.Get(key); + if (value != null) evt.AppendTo(options.to, value); + }); + } +} + +// logEvent(msg) +// +// Processor that logs the current value of evt to console.debug. +function makeLogEvent(msg) { + return function (evt) { + console.debug(msg + " :" + JSON.stringify(evt, null, 4)); + }; +} + +// makeConditional({condition:expr, result1:processor|expr, [...]}) +// +// Processor that selects which processor to run depending on the result of +// evaluating a _condition_. Result can be boolean (if-else equivalent) or any +// other value (switch equivalent). Unspecified values are a no-op. +function makeConditional(options) { + return function (evt) { + var branch = options[options.condition(evt)] || function(evt){}; + return (typeof branch === "function" ? branch : branch.Run)(evt); + }; +} + +// makeMapper({from:field, to:field, default:value mappings:{orig: new, [...]}}) +// +// Processor that sets the `to` field by mapping of `from` field's value. +function makeMapper(options) { + return function (evt) { + var key = evt.Get(options.from); + if (key == null && options.skip_missing) return; + if (options.lowercase && typeof key == "string") { + key = key.toLowerCase(); + } + var value = options.default; + if (key in options.mappings) { + value = options.mappings[key]; + } else if (typeof value === "function") { + value = value(key); + } + if (value != null) { + evt.Put(options.to, value); + } + }; +} + +// Makes sure a name can be used as a field in the output document. +function validFieldName(s) { + return s.replace(/[\ \.]/g, '_') +} + +/* Turns a `common.NameValuePair` array into an object. Multiple-value fields + are stored as arrays. + input (a NameValuePair array): + from_field: [ + {Name: name1, Value: value1}, + {Name: name2, Value: value2}, + {Name: name2, Value: value2b}, + [...] + {Name: nameN, Value: valueN} + ] + + output (an object): + to_field: { + name1: value1, + name2: [value2, value2b], + [...] + nameN: valueN + } +*/ +function makeObjFromNameValuePairArray(options) { + return function(evt) { + var src = evt.Get(options.from); + var dict = {}; + if (src == null || !(src instanceof Array)) return; + for (var i=0; i < src.length; i++) { + var name, value; + if (src[i] == null + || (name=src[i].Name) == null + || (value=src[i].Value) == null) continue; + name = validFieldName(name); + if (name in dict) { + if (dict[name] instanceof Array) { + dict[name].push(value); + } else { + dict[name] = [value]; + } + } else { + dict[name] = value; + } + } + evt.Put(options.to, dict); + } +} + +/* Converts a Common.ModifiedProperty array into an object. + input: + from_field: [ + {Name: name1, OldValue: old1, NewValue: new1}, + {Name: name2, OldValue: old2, NewValue: new2}, + {Name: name2, OldValue: old2b, NewValue: new2b}, + [...] + {Name: nameN, OldValue: oldN, NewValue: newN}, + ], + + output: + to_field: { + name1: { OldValue: old1, NewValue: new1 }, + name2: { OldValue: [old2, old2b], NewValue: [new2, new2b] }, + [...] + nameN: { OldValue: oldN, NewValue: newN } + } + */ +function makeDictFromModifiedPropertyArray(options) { + return function(evt) { + var src = evt.Get(options.from); + var dict = {}; + if (src == null || !(src instanceof Array)) return; + for (var i=0; i < src.length; i++) { + var name, newValue, oldValue; + if (src[i] == null + || (name=src[i].Name) == null + || (newValue=src[i].NewValue) == null + || (oldValue=src[i].OldValue)) continue; + name = validFieldName(name); + if (name in dict) { + if (dict[name].NewValue instanceof Array) { + dict[name].NewValue.push(newValue); + dict[name].OldValue.push(oldValue); + } else { + dict[name].NewValue = [newValue]; + dict[name].OldValue = [oldValue]; + } + } else { + dict[name] = { + NewValue: newValue, + OldValue: oldValue, + }; + } + } + evt.Put(options.to, dict); + } +} + +function exchangeAdminSchema(debug) { + var builder = new PipelineBuilder("o365.audit.ExchangeAdmin", debug); + builder.Add("saveFields", new processor.Convert({ + fields: [ + {from: 'o365audit.OrganizationName', to: 'organization.name'}, + {from: 'o365audit.OriginatingServer', to: 'server.address'}, + ], + ignore_missing: true, + fail_on_error: false + })); + return builder.Build(); +} + +function azureADLogonSchema(debug) { + var builder = new PipelineBuilder("o365.audit.AzureActiveDirectory", debug); + builder.Add("setEventAuthFields", function(evt){ + evt.Put("event.category", "authentication"); + var outcome = evt.Get("event.outcome"); + // As event.type is an array, this sets both the traditional + // "authentication_success"/"authentication_failure" + // and the ECS standard "start". + var types = ["start"]; + if (outcome != null && outcome !== "unknown") { + types.push("authentication_" + outcome); + } + evt.Put("event.type", types); + }); + return builder.Build(); +} + +function sharePointFileOperationSchema(debug) { + var builder = new PipelineBuilder("o365.audit.SharePointFileOperation", debug); + builder.Add("saveFields", new processor.Convert({ + fields: [ + {from: 'o365audit.ObjectId', to: 'url.original'}, + {from: 'o365audit.SourceRelativeUrl', to: 'file.directory'}, + {from: 'o365audit.SourceFileName', to: 'file.name'}, + {from: 'o365audit.SourceFileExtension', to: 'file.extension'}, + ], + ignore_missing: true, + fail_on_error: false + })); + builder.Add("setEventCategory", new processor.AddFields({ + target: 'event', + fields: { + category: 'file', + }, + })); + builder.Add("mapEventType", makeMapper({ + from: 'o365audit.Operation', + to: 'event.type', + mappings: { + 'FileAccessed': 'access', + 'FileDeleted': 'deletion', + 'FileDownloaded': 'access', + 'FileModified': 'change', + 'FileMoved': 'change', + 'FileRenamed': 'change', + 'FileRestored': 'change', + 'FileUploaded': 'creation', + 'FolderCopied': 'creation', + 'FolderCreated': 'creation', + 'FolderDeleted': 'deletion', + 'FolderModified': 'change', + 'FolderMoved': 'change', + 'FolderRenamed': 'change', + 'FolderRestored': 'change', + }, + })); + return builder.Build(); +} + +function exchangeMailboxSchema(debug) { + var builder = new PipelineBuilder("o365.audit.SharePointFileOperation", debug); + builder.Add("saveFields", new processor.Convert({ + fields: [ + {from: 'o365audit.MailboxOwnerUPN', to: 'user.email'}, + {from: 'o365audit.LogonUserSid', to: 'user.id', type: 'string'}, + {from: 'o365audit.LogonUserDisplayName', to: 'user.full_name'}, + {from: 'o365audit.OrganizationName', to: 'organization.name'}, + {from: 'o365audit.OriginatingServer', to: 'server.address'}, + {from: 'o365audit.ClientIPAddress', to: 'client.address'}, + {from: 'o365audit.ClientProcessName', to: 'process.name'}, + ], + ignore_missing: true, + fail_on_error: false + })); + return builder.Build(); +} + +function dataLossPreventionSchema(debug) { + var builder = new PipelineBuilder("o365.audit.DLP", debug); + builder.Add("setEventFields", new processor.AddFields({ + target: 'event', + fields: { + kind: 'alert', + category: 'file', + type: 'access', + }, + })); + + builder.Add("saveFields", new processor.Convert({ + fields: [ + // SharePoint metadata + {from: 'o365audit.SharePointMetaData.From', to: 'user.id'}, + {from: 'o365audit.SharePointMetaData.FileName', to: 'file.name'}, + {from: 'o365audit.SharePointMetaData.FilePathUrl', to: 'url.original'}, + {from: 'o365audit.SharePointMetaData.UniqueId', to: 'file.inode'}, + {from: 'o365audit.SharePointMetaData.UniqueID', to: 'file.inode'}, + {from: 'o365audit.SharePointMetaData.FileOwner', to: 'file.owner'}, + + // Exchange metadata + {from: 'o365audit.ExchangeMetaData.From', to: 'source.user.email'}, + {from: 'o365audit.ExchangeMetaData.Subject', to: 'message'}, + + // Policy details + {from: 'o365audit.PolicyId', to: 'rule.id'}, + {from: 'o365audit.PolicyName', to: 'rule.name'}, + ], + ignore_missing: true, + fail_on_error: false + })); + + builder.Add("setMTime", new processor.Timestamp({ + field: "o365audit.SharePointMetaData.LastModifiedTime", + target_field: "file.mtime", + layouts: [ + "2006-01-02T15:04:05", + "2006-01-02T15:04:05Z", + ], + ignore_missing: true, + ignore_failure: true, + })); + + builder.Add("appendDestinationEmails", function(evt) { + var list = []; + var fields = [ + 'o365audit.ExchangeMetaData.To', + 'o365audit.ExchangeMetaData.CC', + 'o365audit.ExchangeMetaData.BCC', + ]; + for (var i=0; i 1) { + evt.Put("destination.user.email", list); + } + }); + + // ExceptionInfo is documented as string but has been observed to be an object. + builder.Add("fixExceptionInfo", function(evt) { + var key = "o365audit.ExceptionInfo"; + var eInfo = evt.Get(key); + if (eInfo == null) return; + if (typeof eInfo === "string") { + if (eInfo === "") { + evt.Delete(key); + } else { + evt.Put(key, { + Reason: eInfo, + }); + } + } + }); + + builder.Add("extractRules", function(evt) { + var policies = evt.Get("o365audit.PolicyDetails"); + if (policies == null) return; + // rule.id will be an array of all rules' IDs. + var ruleIds = []; + // rule.name will be an array of all rules' names. + var ruleNames = []; + // event.severity will be the higher severity seen. + var maxSeverity = -1; + // event.outcome will determine if access to sensitive data was allowed. + // Either because the rules were configured to only alert or because + // the alert was overridden by the user. + var allowed = true; + for (var i = 0; i < policies.length; i++) { + var rules = policies[i].Rules; + if (rules == null) continue; + for (var j = 0; j < rules.length; j++) { + var rule = rules[j]; + var id = rule.RuleId; + var name = rule.RuleName; + var sev = severityToCode(rule.Severity); + if (id != null && name != null) { + ruleIds.push(id); + ruleNames.push(name); + } + if (sev > maxSeverity) maxSeverity = sev; + if (allowed) { + if (rule.Actions != null && rule.Actions.indexOf("BlockAccess") > -1) { + allowed = false; + } + } + } + } + if (ruleIds.length === 1) { + evt.Put("rule.id", ruleIds[0]); + evt.Put("rule.name", ruleNames[0]); + } else if (ruleIds.length > 0) { + evt.Put("rule.id", ruleIds); + evt.Put("rule.name", ruleNames); + } + if (maxSeverity > -1) { + evt.Put("event.severity", maxSeverity); + } + evt.Put("event.outcome", (allowed || isBlockOverride(evt))? "success" : "failure"); + }); + return builder.Build(); +} + +// Numeric mapping for o365 mgmt API severities. +function severityToCode(str) { + if (str == null) return -1; + switch (str.toLowerCase()) { + case 'informational': return 1; // undocumented severity. + case 'low': return 2; + case 'medium': return 3; + case 'high': return 4; + default: return -1; + } +} + +// Was a DLP alert overridden with an exception? +function isBlockOverride(evt) { + switch (evt.Get("o365audit.Operation").toLowerCase()) { + // Undo means the block was undone via change of policy or override. + case "dlpruleundo": return true; + // Info means it was detected as a false positive but no action taken. + case "dlpinfo": return false; + } + // It's not clear to me the format of ExceptionInfo. It could be an object + // or a string containing a JSON object. Assume that if present, an exception + // is made. + var exInfo = evt.Get('o365audit.ExceptionInfo'); + return exInfo != null && exInfo !== ""; +} + +function yammerSchema(debug) { + var builder = new PipelineBuilder("o365.audit.Yammer", debug); + builder.Add("saveFields", new processor.Convert({ + fields: [ + {from: 'o365audit.ActorUserId', to: 'user.email'}, + {from: 'o365audit.ActorYammerUserId', to: 'user.id', type: 'string'}, + {from: 'o365audit.FileId', to:'file.inode'}, + {from: 'o365audit.FileName', to: 'file.name'}, + {from: 'o365audit.GroupName', to: 'group.name'}, + {from: 'o365audit.TargetUserId', to: 'destination.user.email'}, + {from: 'o365audit.TargetYammerUserId', to: 'destination.user.id'}, + ], + ignore_missing: true, + fail_on_error: false + })); + + var actionToCategoryType = { + // Network or verified admin changes the information that appears on + // member profiles for network users network. + ProcessProfileFields: [ "iam", "user"], + // Verified admin updates the Yammer network's security configuration. + // This includes setting password expiration policies and restrictions + // on IP addresses. + NetworkSecurityConfigurationUpdated: [ "iam", "admin"], + // User uploads a file. + FileCreated: [ "file", "creation"], + // User creates a group. + GroupCreation: [ "iam", ["group", "creation"] ], + // A group is deleted from Yammer. + GroupDeletion: [ "iam", ["group", "deletion"] ], + // User downloads a file. + FileDownloaded: [ "file", "access"], + // User shares a file with another user. + FileShared: [ "file", "access"], + // Network or verified admin suspends (deactivates) a user from Yammer. + NetworkUserSuspended: [ "iam", "user"], + // User account is suspended (deactivated). + UserSuspension: [ "iam", "user"], + // User changes the description of a file. + FileUpdateDescription: [ "file", "access"], + // User changes the name of a file. + FileUpdateName: [ "file", "creation"], + // User views a file. + FileVisited: [ "file", "access"], + }; + + builder.Add("setEventFields", function(evt) { + var action = evt.Get("event.action"); + if (action == null) return; + var fields = actionToCategoryType[action]; + if (fields == null) return; + evt.Put("event.category", fields[0]); + evt.Put("event.type", fields[1]); + }); + return builder.Build(); +} + +function securityComplianceAlertsSchema(debug) { + var builder = new PipelineBuilder("o365.audit.SecurityComplianceAlerts", debug); + builder.Add("saveFields", new processor.Convert({ + fields: [ + {from: 'o365audit.Comments', to: 'message'}, + {from: 'o365audit.Name', to: 'rule.name'}, + {from: 'o365audit.PolicyId', to: 'rule.id'}, + {from: 'o365audit.Category', to: 'rule.category'}, + {from: 'o365audit.EntityType', to: 'rule.ruleset'}, + // This contains the entity that triggered the alert. + // Name of a malware or email address. + // Need to find a better ECS field for it. + {from: 'o365audit.AlertEntityId', to: 'rule.description'}, + {from: 'o365audit.AlertLinks', to: 'rule.reference'}, + ], + ignore_missing: true, + fail_on_error: false + })); + builder.Add("setEventFields", new processor.AddFields({ + target: 'event', + fields: { + kind: 'alert', + category: 'web', + type: 'info', + }, + })); + // event.severity is numeric. + builder.Add("mapSeverity", function(evt) { + var sev = severityToCode(evt.Get("o365audit.Severity")); + if (sev >= 0) { + evt.Put("event.severity", sev); + } + }); + builder.Add("mapCategory", makeMapper({ + from: 'o365audit.Category', + to: 'event.category', + default: 'authentication', + lowercase: true, + mappings: { + 'accessgovernance': 'authentication', + 'datagovernance': 'file', + 'datalossprevention': 'file', + 'threatmanagement': 'malware', + }, + })); + builder.Add("saveEntity", makeConditional({ + condition: function(evt) { + return evt.Get("o365audit.EntityType"); + }, + 'User': new processor.Convert({ + fields: [ + {from: "o365audit.AlertEntityId", to: "user.id", type: 'string'}, + ], + ignore_missing: true, + fail_on_error: false + }), + 'Recipients': new processor.Convert({ + fields: [ + {from: "o365audit.AlertEntityId", to: "user.email"}, + ], + ignore_missing: true, + fail_on_error: false + }), + 'Sender': new processor.Convert({ + fields: [ + {from: "o365audit.AlertEntityId", to: "user.email"}, + ], + ignore_missing: true, + fail_on_error: false + }), + 'MalwareFamily': new processor.Convert({ + fields: [ + {from: "o365audit.AlertEntityId", to: "threat.technique.id"}, + ], + ignore_missing: true, + fail_on_error: false + }), + })); + return builder.Build(); +} + +function AuditProcessor(tenant_names, debug) { + var builder = new PipelineBuilder("o365.audit", debug); + + var unsetIPValues = {"null": true, "": true, "": true}; + builder.Add("cleanupNulls", function(event) { + [ + "o365audit.ClientIP", + "o365audit.ClientIPAddress", + "o365audit.ActorIpAddress", + "o365audit.OriginatingServer" + ].forEach(function(field) { + if (event.Get(field) in unsetIPValues) event.Delete(field); + }); + }); + builder.Add("convertCommonAuditRecordFields", new processor.Convert({ + fields: [ + {from: "o365audit.Id", to: "event.id"}, + {from: "o365audit.ClientIP", to: "client.address"}, + {from: "o365audit.ClientIPAddress", to: "client.address"}, + {from: "o365audit.ActorIpAddress", to: "client.address"}, + {from: "o365audit.UserId", to: "user.id", type: "string"}, + {from: "o365audit.Workload", to: "event.provider"}, + {from: "o365audit.Operation", to: "event.action"}, + {from: "o365audit.OrganizationId", to: "organization.id"}, + // Extra common fields: + {from: "o365audit.UserAgent", to: "user_agent.original"}, + ], + ignore_missing: true, + fail_on_error: false + })); + builder.Add("mapEventType", makeMapper({ + from: 'o365audit.RecordType', + to: 'event.code', + // Keep original RecordType for unknown mappings. + default: function(recordType) { + return recordType; + }, + mappings: { + 1: 'ExchangeAdmin', // Events from the Exchange admin audit log. + 2: 'ExchangeItem', // Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message. + 3: 'ExchangeItemGroup', // Events from an Exchange mailbox audit log for actions that can be performed on multiple items, such as moving or deleted one or more email messages. + 4: 'SharePoint', // SharePoint events. + 6: 'SharePointFileOperation', // SharePoint file operation events. + 8: 'AzureActiveDirectory', // Azure Active Directory events. + 9: 'AzureActiveDirectoryAccountLogon', // Azure Active Directory OrgId logon events (deprecating). + 10: 'DataCenterSecurityCmdlet', // Data Center security cmdlet events. + 11: 'ComplianceDLPSharePoint', // Data loss protection (DLP) events in SharePoint and OneDrive for Business. + 12: 'Sway', // Events from the Sway service and clients. + 13: 'ComplianceDLPExchange', // Data loss protection (DLP) events in Exchange, when configured via Unified DLP Policy. DLP events based on Exchange Transport Rules are not supported. + 14: 'SharePointSharingOperation', // SharePoint sharing events. + 15: 'AzureActiveDirectoryStsLogon', // Secure Token Service (STS) logon events in Azure Active Directory. + 18: 'SecurityComplianceCenterEOPCmdlet', // Admin actions from the Security & Compliance Center. + 20: 'PowerBIAudit', // Power BI events. + 21: 'CRM', // Microsoft CRM events. + 22: 'Yammer', // Yammer events. + 23: 'SkypeForBusinessCmdlets', // Skype for Business events. + 24: 'Discovery', // Events for eDiscovery activities performed by running content searches and managing eDiscovery cases in the Security & Compliance Center. + 25: 'MicrosoftTeams', // Events from Microsoft Teams. + 28: 'ThreatIntelligence', // Phishing and malware events from Exchange Online Protection and Office 365 Advanced Threat Protection. + 30: 'MicrosoftFlow', // Microsoft Power Automate (formerly called Microsoft Flow) events. + 31: 'AeD', // Advanced eDiscovery events. + 32: 'MicrosoftStream', // Microsoft Stream events. + 33: 'ComplianceDLPSharePointClassification', // Events related to DLP classification in SharePoint. + 35: 'Project', // Microsoft Project events. + 36: 'SharePointListOperation', // SharePoint List events. + 38: 'DataGovernance', // Events related to retention policies and retention labels in the Security & Compliance Center + 40: 'SecurityComplianceAlerts', // Security and compliance alert signals. + 41: 'ThreatIntelligenceUrl', // Safe links time-of-block and block override events from Office 365 Advanced Threat Protection. + 42: 'SecurityComplianceInsights', // Events related to insights and reports in the Office 365 security and compliance center. + 44: 'WorkplaceAnalytics', // Workplace Analytics events. + 45: 'PowerAppsApp', // Power Apps events. + 47: 'ThreatIntelligenceAtpContent', // Phishing and malware events for files in SharePoint, OneDrive for Business, and Microsoft Teams from Office 365 Advanced Threat Protection. + 49: 'TeamsHealthcare', // Events related to the Patients application in Microsoft Teams for Healthcare. + 52: 'DataInsightsRestApiAudit', // Data Insights REST API events. + 54: 'SharePointListItemOperation', // SharePoint list item events. + 55: 'SharePointContentTypeOperation', // SharePoint list content type events. + 56: 'SharePointFieldOperation', // SharePoint list field events. + 64: 'AirInvestigation', // Automated incident response (AIR) events. + 66: 'MicrosoftForms', // Microsoft Forms events. + }, + })); + + builder.Add("setEventFields", new processor.AddFields({ + target: 'event', + fields: { + kind: 'event', + type: 'info', + // Not so sure about web as a default category: + category: 'web', + }, + })); + + builder.Add("mapEventOutcome", makeMapper({ + from: 'o365audit.ResultStatus', + to: 'event.outcome', + lowercase: true, + default: 'success', + mappings: { + 'success': 'success', // This one is necessary to map Success + 'succeeded': 'success', + 'partiallysucceeded': 'success', + 'true': 'success', + 'failed': 'failure', + 'false': 'failure', + }, + })); + + builder.Add("makeParametersDict", makeObjFromNameValuePairArray({ + from: 'o365audit.Parameters', + to: 'o365audit.Parameters', + })); + + builder.Add("makeExtendedPropertiesDict", makeObjFromNameValuePairArray({ + from: 'o365audit.ExtendedProperties', + to: 'o365audit.ExtendedProperties', + })); + + builder.Add("makeModifiedPropertyDict", makeDictFromModifiedPropertyArray({ + from: 'o365audit.ModifiedProperties', + to: 'o365audit.ModifiedProperties', + })); + + // Turn AlertLinks into an array of keyword instead of array of objects. + builder.Add("alertLinks", function (evt) { + var list = evt.Get("o365audit.AlertLinks"); + if (list == null || !(list instanceof Array)) return; + var links = []; + for (var i=0; i 0) { + links.push(link); + } + } + switch (links.length) { + case 0: + evt.Delete('o365audit.AlertLinks'); + break; + case 1: + evt.Put("o365audit.AlertLinks", links[0]); + break; + default: + evt.Put("o365audit.AlertLinks", links); + } + }); + + // Populate event specific fields. + var dlp = dataLossPreventionSchema(debug); + builder.Add("productSpecific", makeConditional({ + condition: function(event) { + return event.Get("event.code"); + }, + 'ExchangeAdmin': exchangeAdminSchema(debug).Run, + 'ExchangeItem': exchangeMailboxSchema(debug).Run, + 'AzureActiveDirectoryStsLogon': azureADLogonSchema(debug).Run, + 'SharePointFileOperation': sharePointFileOperationSchema(debug).Run, + 'SecurityComplianceAlerts': securityComplianceAlertsSchema(debug).Run, + 'ComplianceDLPSharePoint': dlp.Run, + 'ComplianceDLPExchange': dlp.Run, + 'Yammer': yammerSchema(debug).Run, + })); + + builder.Add("extractClientIPv4Port", new processor.Dissect({ + tokenizer: '%{ip}:%{port}', + field: 'client.address', + target_prefix: 'client', + 'when.and': [ + {'contains.client.address': '.'}, + {'contains.client.address': ':'}, + ], + })); + builder.Add("extractClientIPv6Port", new processor.Dissect({ + tokenizer: '[%{ip}]:%{port}', + field: 'client.address', + target_prefix: 'client', + 'when.and': [ + {'contains.client.address': '['}, + {'contains.client.address': ':'}, + ], + })); + + // Copy the client/server.address to .ip fields if they are valid IPs. + builder.Add("convertIPs", new processor.Convert({ + fields: [ + {from: "client.address", to: "client.ip", type: "ip"}, + {from: "server.address", to: "server.ip", type: "ip"}, + ], + ignore_missing: true, + fail_on_error: false + })); + + builder.Add("setSrcDstFields", new processor.Convert({ + fields: [ + {from: "client.ip", to: "source.ip"}, + {from: "client.port", to: "source.port"}, + {from: "server.ip", to: "destination.ip"}, + ], + ignore_missing: true, + fail_on_error: false + })); + + builder.Add("setUserFieldsFromId", new processor.Dissect({ + tokenizer: "%{name}@%{domain}", + field: "user.id", + target_prefix: "user", + 'when.contains.user.id': '@', + })); + + builder.Add("setNetworkType", function(event) { + var ip = event.Get("client.ip"); + if (ip == null) return; + event.Put("network.type", ip.indexOf(".") !== -1? "ipv4" : "ipv6"); + }); + + builder.Add("setRelatedIP", appendFields({ + fields: [ + "client.ip", + "server.ip", + ], + to: 'related.ip' + })); + + builder.Add("setRelatedUser", appendFields({ + fields: [ + "user.name", + "file.owner", + ], + to: 'related.user' + })); + + // Set user-agent from an alternative location. + builder.Add("altUserAgent", function(evt) { + var ext = evt.Get("o365audit.ExtendedProperties.UserAgent"); + if (ext != null) evt.Put("user_agent.original", ext); + }); + + // Set host.name to the O365 tenant. This is necessary to aggregate events + // in SIEM app based on the tenant instead of the host where Filebeat is + // running. + builder.Add("setHostName", function(evt) { + var value; + if ((value=evt.Get("organization.id"))!=null) { + value = value.toLowerCase(); + evt.Put("host.id", value); + // Use tenant name provided in the configuration. + if (value in tenant_names && value !== "") { + evt.Put("organization.name", value); + evt.Put("host.name", tenant_names[value]); + return; + } + } + if ((value=evt.Get("organization.name"))!=null || + (value=evt.Get("user.domain")) != null ) { + evt.Put("host.name", value); + } + }); + + builder.Add("saveRaw", new processor.Convert({ + fields: [ + {from: "o365audit", to: "o365.audit"}, + ], + mode: "rename" + })); + + var chain = builder.Build(); + return { + process: chain.Run + }; +} + + +var audit; + +// Register params from configuration. +function register(params) { + var tenant_names = {}; + if (params.tenants != null) { + for (var i = 0; i < params.tenants.length; i++) { + tenant_names[params.tenants[i].id] = params.tenants[i].name.toLowerCase(); + } + } + audit = new AuditProcessor(tenant_names, params.debug); +} + +function process(evt) { + return audit.process(evt); +} diff --git a/x-pack/filebeat/module/o365/audit/ingest/pipeline.yml b/x-pack/filebeat/module/o365/audit/ingest/pipeline.yml new file mode 100644 index 000000000000..98fd4f0ff588 --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/ingest/pipeline.yml @@ -0,0 +1,33 @@ +description: Pipeline for Office 365 Audit logs + +processors: + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/o365/audit/manifest.yml b/x-pack/filebeat/module/o365/audit/manifest.yml new file mode 100644 index 000000000000..a00b9626619b --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/manifest.yml @@ -0,0 +1,21 @@ +module_version: 1.0 + +var: + - name: input + default: o365audit + - name: certificate + - name: key + - name: key_passphrase + - name: application_id + - name: client_secret + - name: tenants + - name: content_type + - name: api +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: + - name: geoip + plugin: ingest-geoip + - name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/o365/audit/test/01-exchange-admin.log b/x-pack/filebeat/module/o365/audit/test/01-exchange-admin.log new file mode 100644 index 000000000000..bb5a79acf8c1 --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/01-exchange-admin.log @@ -0,0 +1,100 @@ +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "ClientAppId": "", "OrganizationName": "testsiem.onmicrosoft.com", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T20:49:49", "AppId": "", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "Version": 1, "ResultStatus": "True", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "1c7412a6-858d-49ff-3f93-08d7ac0f45bf", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "ClientAppId": "", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "6c3454e1-1a13-411b-bed1-08d7adfc0c09", "CreationTime": "2020-02-10T07:37:14"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "ClientAppId": "", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "b5131b23-3efb-481a-c05b-08d7ac0f2a82", "CreationTime": "2020-02-07T20:49:03"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "ClientAppId": "", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ObjectId": "testsiem.onmicrosoft.com\\2c6709f0-beaf-4ffd-99ea-d02c796c25d3", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Organization", "Value": "testsiem.onmicrosoft.com"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Install-DefaultSharingPolicy", "Id": "ef597809-1c52-4a85-7cce-08d7adfc0939", "CreationTime": "2020-02-10T07:37:09"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "ClientAppId": "", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Organization", "Value": "testsiem.onmicrosoft.com"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Install-AdminAuditLogConfig", "Id": "362ff802-6df6-47e5-09a2-08d7adfc095b", "CreationTime": "2020-02-10T07:37:09"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "ClientAppId": "", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "CreationTime": "2020-02-10T07:37:13", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Identity", "Value": "testsiem.onmicrosoft.com"}, {"Name": "OrganizationFederatedMailbox", "Value": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-TransportConfig", "Id": "ea769bfc-fa67-465c-767a-08d7adfc0b7b"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "ClientAppId": "", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "Parameters": [{"Name": "Arbitration", "Value": "True"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}"}, {"Name": "UMDataStorage", "Value": "True"}, {"Name": "Force", "Value": "True"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}", "Id": "168019d2-1e8a-4394-e90b-08d7ac0f1e69", "CreationTime": "2020-02-07T20:48:43"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "ClientAppId": "", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "Parameters": [{"Name": "InstantMessagingType", "Value": "Ocs"}, {"Name": "Identity", "Value": "testsiem.onmicrosoft.com\\OwaMailboxPolicy-Default"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T20:49:34", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-OwaMailboxPolicy", "ObjectId": "testsiem.onmicrosoft.com\\OwaMailboxPolicy-Default", "Id": "0d7995da-038f-40d9-2765-08d7ac0f3d4d"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "ClientAppId": "", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "CreationTime": "2020-02-07T20:49:20", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "Id": "b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "ClientAppId": "", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T07:37:17", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Id": "2202ec45-7abc-49dd-e35e-08d7adfc0e15"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "ClientAppId": "", "Parameters": [{"Name": "DoNotUpdateRecipients", "Value": "True"}, {"Name": "DomainController", "Value": ""}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com"}], "ObjectId": "testsiem.onmicrosoft.com", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "CreationTime": "2020-02-07T20:48:04", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "OrganizationName": "testsiem.onmicrosoft.com", "Operation": "Enable-AddressListPaging", "Id": "a0063917-bb25-4c17-fe2e-08d7ac0f0769", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "ClientAppId": "", "RecordType": 1, "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "AppId": "", "CreationTime": "2020-02-07T20:48:58", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "a324e83b-d1a3-4855-db2a-08d7ac0f277b", "OrganizationName": "testsiem.onmicrosoft.com"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "ClientAppId": "", "RecordType": 1, "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T07:37:15", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Id": "ebda487f-6177-432a-e91d-08d7adfc0d0d", "OrganizationName": "testsiem.onmicrosoft.com"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "ClientAppId": "", "RecordType": 1, "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T20:49:09", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Id": "7dafe4a3-487a-46ec-dadc-08d7ac0f2e06", "OrganizationName": "testsiem.onmicrosoft.com"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ClientAppId": "", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "Version": 1, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Workload": "Exchange", "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "7b5e608f-0a09-4251-8922-08d7adfc0d15", "CreationTime": "2020-02-10T07:37:15", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ClientAppId": "", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "AppId": "", "CreationTime": "2020-02-07T20:49:09", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "7dafe4a3-487a-46ec-dadc-08d7ac0f2e06", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ClientAppId": "", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "TenantAllowBlockLists", "Value": "True"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "a4912729-9b49-43b3-d21f-08d7adfc0e8e", "CreationTime": "2020-02-10T07:37:18", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ClientAppId": "", "ObjectId": "testsiem.onmicrosoft.com", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "AppId": "", "CreationTime": "2020-02-07T20:49:55", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-TenantObjectVersion", "Id": "514d0e07-410f-469c-a7f9-08d7ac0f496e", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ClientAppId": "", "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Identity", "Value": "testsiem.onmicrosoft.com"}, {"Name": "OrganizationFederatedMailbox", "Value": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-TransportConfig", "Id": "ea769bfc-fa67-465c-767a-08d7adfc0b7b", "CreationTime": "2020-02-10T07:37:13", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ClientAppId": "", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com"}, {"Name": "SupervisionTags", "Value": "Reject;Allow"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-TransportConfig", "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", "Id": "e022fa0d-13b2-4314-b707-08d7adfc0868", "CreationTime": "2020-02-10T07:37:08", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ClientAppId": "", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-TenantObjectVersion", "ObjectId": "testsiem.onmicrosoft.com", "Id": "514d0e07-410f-469c-a7f9-08d7ac0f496e", "CreationTime": "2020-02-07T20:49:55", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ClientAppId": "", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Identity", "Value": "testsiem.onmicrosoft.com"}, {"Name": "OrganizationFederatedMailbox", "Value": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "AppId": "", "CreationTime": "2020-02-07T20:48:52", "UserType": 3, "Version": 1, "ResultStatus": "True", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-TransportConfig", "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", "Id": "8a3c4f54-f2de-4717-dd56-08d7ac0f23be", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ClientAppId": "", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "OMEncryptionStore", "Value": "True"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "AppId": "", "CreationTime": "2020-02-07T20:48:49", "UserType": 3, "Version": 1, "ResultStatus": "True", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}", "Id": "9eb764a6-fee5-4c3a-6adc-08d7ac0f220f", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ClientAppId": "", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "TenantAllowBlockLists", "Value": "True"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T07:37:18", "AppId": "", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "Version": 1, "ResultStatus": "True", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063", "Id": "a4912729-9b49-43b3-d21f-08d7adfc0e8e", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ClientAppId": "", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "AppId": "", "CreationTime": "2020-02-07T20:48:56", "UserType": 3, "Version": 1, "ResultStatus": "True", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "Id": "d83e97f0-951c-4ccc-630e-08d7ac0f267e", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ClientAppId": "", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T07:37:17", "AppId": "", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "Version": 1, "ResultStatus": "True", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "Id": "2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ClientAppId": "", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "Id": "165a283d-6f9b-4dc2-1b86-08d7ac0f273c", "CreationTime": "2020-02-07T20:48:57", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ClientAppId": "", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Id": "979931d3-c99d-45b1-14e1-08d7ac0f3209", "CreationTime": "2020-02-07T20:49:16", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ClientAppId": "", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "AppId": "", "CreationTime": "2020-02-07T20:49:20", "UserType": 3, "Version": 1, "ResultStatus": "True", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "Id": "4bddac31-664e-4432-d181-08d7ac0f34d2", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ClientAppId": "", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "Id": "4d2e1010-489d-4aa0-e300-08d7ac0f314c", "CreationTime": "2020-02-07T20:49:14", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T20:48:44", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "ProhibitSendReceiveQuota", "Value": "10 GB (10,737,418,240 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "Management", "Value": "True"}, {"Name": "Force", "Value": "True"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "DisplayName", "Value": "Microsoft Exchange Migration"}, {"Name": "IssueWarningQuota", "Value": "9 GB (9,663,676,416 bytes)"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "Migration", "Value": "True"}, {"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "ProhibitSendQuota", "Value": "10 GB (10,737,418,240 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136"}, {"Name": "Arbitration", "Value": "True"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "e79cb83c-25b7-4777-57f0-08d7ac0f1f74", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "ClientAppId": "", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "Version": 1, "AppId": "", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Workload": "Exchange", "ResultStatus": "True", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "ee2a5c48-f068-4672-3e34-08d7adfc0bf4", "CreationTime": "2020-02-10T07:37:14", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "AppId": "", "CreationTime": "2020-02-10T07:37:14", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "d3533d4d-f62f-4731-d0c9-08d7adfc0c7b", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492", "CreationTime": "2020-02-07T20:49:20", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "AppId": "", "CreationTime": "2020-02-07T20:49:08", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "bc03d223-966c-4e33-6cf7-08d7ac0f2d88", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "ClientAppId": "", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492", "CreationTime": "2020-02-07T20:49:20", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T20:49:09", "AppId": "", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "7a500a7f-cc56-4dfd-d740-08d7ac0f2e45", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "CreationTime": "2020-02-07T20:49:10", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "6047e3da-8661-44a4-6fd2-08d7ac0f2e85", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "AppId": "", "ClientAppId": "", "UserType": 3, "Version": 1, "ResultStatus": "True", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592", "CreationTime": "2020-02-07T20:49:21", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "d16f181c-257c-4d40-45e1-08d7adfc0c02", "CreationTime": "2020-02-10T07:37:14", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}", "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "Force", "Value": "True"}, {"Name": "UMGrammar", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "MaxSendSize", "Value": "1 GB (1,073,741,824 bytes)"}, {"Name": "MailRouting", "Value": "True"}, {"Name": "MessageTracking", "Value": "True"}, {"Name": "OMEncryption", "Value": "True"}, {"Name": "OABGen", "Value": "True"}, {"Name": "ClientExtensions", "Value": "True"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}"}, {"Name": "GMGen", "Value": "True"}, {"Name": "SuiteServiceStorage", "Value": "True"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6", "CreationTime": "2020-02-07T20:48:42", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "IgnoreDehydratedFlag", "Value": "True"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com"}, {"Name": "AdminAuditLogEnabled", "Value": "True"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T20:49:55", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "ClientAppId": "", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-AdminAuditLogConfig", "Id": "0caecd44-0161-44e5-0e45-08d7ac0f49d6", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "AppId": "", "CreationTime": "2020-02-07T20:49:52", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Identity", "Value": "testsiem.onmicrosoft.com"}, {"Name": "HygieneSuite", "Value": "Premium"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-TransportConfig", "Id": "fd804781-7d7f-4d3a-1ef0-08d7ac0f47e4", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Identity", "Value": "testsiem.onmicrosoft.com"}, {"Name": "OrganizationFederatedMailbox", "Value": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com"}], "Workload": "Exchange", "UserType": 3, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T20:48:52", "ClientAppId": "", "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-TransportConfig", "Id": "8a3c4f54-f2de-4717-dd56-08d7ac0f23be", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Organization", "Value": "testsiem.onmicrosoft.com"}, {"Name": "IgnoreDehydratedFlag", "Value": "True"}], "ObjectId": "testsiem.onmicrosoft.com\\ExchangeAssistance", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "ClientAppId": "", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "New-ExchangeAssistanceConfig", "Id": "627aa8ff-1411-475d-d202-08d7ac0f08a5", "CreationTime": "2020-02-07T20:48:06", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "Parameters": [{"Name": "ProhibitSendReceiveQuota", "Value": "10 GB (10,737,418,240 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "Management", "Value": "True"}, {"Name": "Force", "Value": "True"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "DisplayName", "Value": "Microsoft Exchange Migration"}, {"Name": "IssueWarningQuota", "Value": "9 GB (9,663,676,416 bytes)"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "Migration", "Value": "True"}, {"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "ProhibitSendQuota", "Value": "10 GB (10,737,418,240 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136"}, {"Name": "Arbitration", "Value": "True"}], "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "AppId": "", "CreationTime": "2020-02-10T07:37:12", "UserType": 3, "Version": 1, "ResultStatus": "True", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", "Id": "425128e3-4281-42f6-4ec7-08d7adfc0acd", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "TenantAllowBlockLists", "Value": "True"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "AppId": "", "CreationTime": "2020-02-10T07:37:18", "UserType": 3, "Version": 1, "ResultStatus": "True", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063", "Id": "a4912729-9b49-43b3-d21f-08d7adfc0e8e", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T20:49:21", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Id": "8126fd52-b16b-45c5-6aff-08d7adfc0c97", "CreationTime": "2020-02-10T07:37:15", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "AppId": "", "CreationTime": "2020-02-10T07:37:14", "UserType": 3, "Version": 1, "ResultStatus": "True", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "Id": "70f24b65-0224-473b-49b8-08d7adfc0c83", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "Id": "515c88f2-2cbf-4214-2d9b-08d7adfc0e0f", "CreationTime": "2020-02-10T07:37:17", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "CreationTime": "2020-02-07T20:48:57", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "Id": "02c7f756-40e0-4c47-d49d-08d7ac0f26bd", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "AppId": "", "CreationTime": "2020-02-07T20:49:02", "ClientAppId": "", "UserType": 3, "Version": 1, "ResultStatus": "True", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "40786a66-fbd5-4a24-d9af-08d7ac0f2a42", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Id": "ebda487f-6177-432a-e91d-08d7adfc0d0d", "CreationTime": "2020-02-10T07:37:15", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "DisplayName", "Value": "Microsoft Exchange"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "10 GB (10,737,418,240 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "9 GB (9,663,676,416 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042"}, {"Name": "ProhibitSendReceiveQuota", "Value": "10 GB (10,737,418,240 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T20:48:51", "AppId": "", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "Version": 1, "ResultStatus": "True", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042", "Id": "93d5f028-263c-45f1-dcf9-08d7ac0f2378", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T07:37:17", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Id": "1eea5379-4c86-4d6f-00cf-08d7adfc0e23"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T07:37:17", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Id": "2202ec45-7abc-49dd-e35e-08d7adfc0e15"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T07:37:23", "AppId": "", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "IgnoreDehydratedFlag", "Value": "True"}, {"Name": "Identity", "Value": "testsiem.onmicrosoft.com\\Recipient Quota Policy"}, {"Name": "PublicFolderHierarchyMailboxCountQuota", "Value": "100"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-RecipientEnforcementProvisioningPolicy", "ObjectId": "testsiem.onmicrosoft.com\\Recipient Quota Policy", "Id": "80d8b808-c24c-4359-24cf-08d7adfc11e3"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T07:37:24", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "IgnoreDehydratedFlag", "Value": "True"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com"}, {"Name": "AdminAuditLogEnabled", "Value": "True"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-AdminAuditLogConfig", "ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", "Id": "9edbf9fe-f844-401f-e9ec-08d7adfc1242"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "AppId": "", "CreationTime": "2020-02-10T07:37:15", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "Id": "7b5e608f-0a09-4251-8922-08d7adfc0d15"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "AppId": "", "CreationTime": "2020-02-10T07:37:17", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "Id": "2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "IgnoreDehydratedFlag", "Value": "True"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com"}, {"Name": "AdminAuditLogEnabled", "Value": "True"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-AdminAuditLogConfig", "ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", "Id": "9edbf9fe-f844-401f-e9ec-08d7adfc1242", "CreationTime": "2020-02-10T07:37:24"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "InstantMessagingType", "Value": "Ocs"}, {"Name": "Identity", "Value": "testsiem.onmicrosoft.com\\OwaMailboxPolicy-Default"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-OwaMailboxPolicy", "ObjectId": "testsiem.onmicrosoft.com\\OwaMailboxPolicy-Default", "Id": "0d7995da-038f-40d9-2765-08d7ac0f3d4d", "CreationTime": "2020-02-07T20:49:34"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "ProhibitSendReceiveQuota", "Value": "10 GB (10,737,418,240 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "Management", "Value": "True"}, {"Name": "Force", "Value": "True"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "DisplayName", "Value": "Microsoft Exchange Migration"}, {"Name": "IssueWarningQuota", "Value": "9 GB (9,663,676,416 bytes)"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "Migration", "Value": "True"}, {"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "ProhibitSendQuota", "Value": "10 GB (10,737,418,240 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136"}, {"Name": "Arbitration", "Value": "True"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", "Id": "425128e3-4281-42f6-4ec7-08d7adfc0acd", "CreationTime": "2020-02-10T07:37:12"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Id": "6ddabbf8-4b7c-4982-2683-08d7adfc0c10", "CreationTime": "2020-02-10T07:37:14"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ClientAppId": "", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "CreationTime": "2020-02-10T07:37:13", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "DisplayName", "Value": "Microsoft Exchange"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "10 GB (10,737,418,240 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "9 GB (9,663,676,416 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042"}, {"Name": "ProhibitSendReceiveQuota", "Value": "10 GB (10,737,418,240 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042", "Id": "e6a88958-ff2a-4e9b-d681-08d7adfc0b73"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "CreationTime": "2020-02-07T20:49:02", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "ClientAppId": "", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "f580aae6-d0d5-4204-1a13-08d7ac0f2a03"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "AppId": "", "CreationTime": "2020-02-07T20:48:57", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "ClientAppId": "", "UserType": 3, "Version": 1, "ResultStatus": "True", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "165a283d-6f9b-4dc2-1b86-08d7ac0f273c"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T07:37:15", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "ClientAppId": "", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "2db154f6-63ae-4a31-c548-08d7adfc0d1d"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "CreationTime": "2020-02-07T20:49:21", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ClientAppId": "", "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "ClientAppId": "", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "2202ec45-7abc-49dd-e35e-08d7adfc0e15", "CreationTime": "2020-02-10T07:37:17"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ObjectId": "testsiem.onmicrosoft.com", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "AppId": "", "CreationTime": "2020-02-07T20:48:04", "Parameters": [{"Name": "DoNotUpdateRecipients", "Value": "True"}, {"Name": "DomainController", "Value": ""}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com"}], "UserType": 3, "Version": 1, "ClientAppId": "", "ResultStatus": "True", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Enable-AddressListPaging", "Id": "a0063917-bb25-4c17-fe2e-08d7ac0f0769"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "CreationTime": "2020-02-07T20:49:55", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "IgnoreDehydratedFlag", "Value": "True"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com"}, {"Name": "AdminAuditLogEnabled", "Value": "True"}], "UserType": 3, "Version": 1, "ClientAppId": "", "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-AdminAuditLogConfig", "Id": "0caecd44-0161-44e5-0e45-08d7ac0f49d6"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ObjectId": "testsiem.onmicrosoft.com\\ExchangeAssistance15", "UserType": 3, "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "Version": 1, "AppId": "", "CreationTime": "2020-02-10T07:37:24", "Parameters": [{"Name": "Identity", "Value": "testsiem.onmicrosoft.com"}, {"Name": "PrivacyStatementURL", "Value": "http://go.microsoft.com/fwlink/?LinkID=259417"}, {"Name": "PrivacyLinkDisplayEnabled", "Value": "True"}], "ClientAppId": "", "Workload": "Exchange", "ResultStatus": "True", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-ExchangeAssistanceConfig", "Id": "2cb36c1c-1368-4483-9801-08d7adfc11fe"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ObjectId": "testsiem.onmicrosoft.com\\Recipient Quota Policy", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "AppId": "", "CreationTime": "2020-02-10T07:37:23", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "IgnoreDehydratedFlag", "Value": "True"}, {"Name": "Identity", "Value": "testsiem.onmicrosoft.com\\Recipient Quota Policy"}, {"Name": "PublicFolderHierarchyMailboxCountQuota", "Value": "100"}], "UserType": 3, "Version": 1, "ClientAppId": "", "ResultStatus": "True", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-RecipientEnforcementProvisioningPolicy", "Id": "80d8b808-c24c-4359-24cf-08d7adfc11e3"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "CreationTime": "2020-02-10T07:37:24", "ClientAppId": "", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-TenantObjectVersion", "ObjectId": "testsiem.onmicrosoft.com", "Id": "a9fb5fce-4ce4-43eb-f429-08d7adfc122c"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}"}, {"Name": "User", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management"}, {"Name": "AccessRights", "Value": "FullAccess"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "AppId": "", "CreationTime": "2020-02-07T20:49:49", "ClientAppId": "", "Version": 1, "ResultStatus": "True", "UserType": 3, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Add-MailboxPermission", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", "Id": "5f84ceaa-e6df-4ba1-1085-08d7ac0f4646"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "ClientAppId": "", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", "Id": "1c7412a6-858d-49ff-3f93-08d7ac0f45bf", "CreationTime": "2020-02-07T20:49:49"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "IgnoreDehydratedFlag", "Value": "True"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com"}, {"Name": "AdminAuditLogEnabled", "Value": "True"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T20:49:55", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "ClientAppId": "", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-AdminAuditLogConfig", "ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", "Id": "0caecd44-0161-44e5-0e45-08d7ac0f49d6"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "OMEncryptionStore", "Value": "True"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "Workload": "Exchange", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "ClientAppId": "", "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}", "Id": "7386959b-a0d0-459e-baf8-08d7adfc0b4b", "CreationTime": "2020-02-10T07:37:12"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "ClientAppId": "", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "Id": "7b5e608f-0a09-4251-8922-08d7adfc0d15", "CreationTime": "2020-02-10T07:37:15"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "CreationTime": "2020-02-07T20:49:03", "ClientAppId": "", "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "Id": "96b98335-ab19-4e22-31e0-08d7ac0f2ac2"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "AppId": "", "CreationTime": "2020-02-07T20:49:21", "ClientAppId": "", "UserType": 3, "Version": 1, "ResultStatus": "True", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "ClientAppId": "", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Id": "5cd5fc38-5b48-47d6-2e47-08d7ac0f2b01", "CreationTime": "2020-02-07T20:49:04"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "Workload": "Exchange", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "ClientAppId": "", "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Id": "ff48ffeb-5c2a-468f-9113-08d7ac0f3512", "CreationTime": "2020-02-07T20:49:21"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T07:37:14", "UserType": 3, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "ClientAppId": "", "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Id": "d16f181c-257c-4d40-45e1-08d7adfc0c02"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "ClientAppId": "", "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "Id": "02c7f756-40e0-4c47-d49d-08d7ac0f26bd", "CreationTime": "2020-02-07T20:48:57"} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "Workload": "Exchange", "ClientAppId": "", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T07:37:21", "AppId": "", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}"}, {"Name": "User", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management"}, {"Name": "AccessRights", "Value": "FullAccess"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Add-MailboxPermission", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", "Id": "86a8ddaf-15d2-44b4-62d5-08d7adfc1062", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "Workload": "Exchange", "ClientAppId": "", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Id": "8b544cbd-f42b-4910-82ef-08d7ac0f26fc", "CreationTime": "2020-02-07T20:48:57", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "Workload": "Exchange", "ClientAppId": "", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "DisplayName", "Value": "Microsoft Exchange"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "10 GB (10,737,418,240 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "9 GB (9,663,676,416 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042"}, {"Name": "ProhibitSendReceiveQuota", "Value": "10 GB (10,737,418,240 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042", "Id": "e6a88958-ff2a-4e9b-d681-08d7adfc0b73", "CreationTime": "2020-02-10T07:37:13", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "Workload": "Exchange", "ClientAppId": "", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "CreationTime": "2020-02-10T07:37:07", "Parameters": [{"Name": "DoNotUpdateRecipients", "Value": "True"}, {"Name": "DomainController", "Value": ""}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Enable-AddressListPaging", "ObjectId": "testsiem.onmicrosoft.com", "Id": "d7134fa4-2e25-4a7d-d84d-08d7adfc0802", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "Workload": "Exchange", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "UserType": 3, "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "ClientAppId": "", "Version": 1, "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "ee2a5c48-f068-4672-3e34-08d7adfc0bf4", "CreationTime": "2020-02-10T07:37:14", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "Workload": "Exchange", "ObjectId": "testsiem.onmicrosoft.com\\Resource Schema", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "AppId": "", "CreationTime": "2020-02-07T20:48:32", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Organization", "Value": "testsiem.onmicrosoft.com"}], "ClientAppId": "", "UserType": 3, "Version": 1, "ResultStatus": "True", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Install-ResourceConfig", "Id": "060e0f74-72a7-40d1-30fa-08d7ac0f17d8", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "Workload": "Exchange", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "IgnoreDehydratedFlag", "Value": "True"}, {"Name": "Identity", "Value": "testsiem.onmicrosoft.com\\Recipient Quota Policy"}, {"Name": "PublicFolderHierarchyMailboxCountQuota", "Value": "100"}], "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "AppId": "", "CreationTime": "2020-02-10T07:37:23", "ClientAppId": "", "UserType": 3, "Version": 1, "ResultStatus": "True", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-RecipientEnforcementProvisioningPolicy", "ObjectId": "testsiem.onmicrosoft.com\\Recipient Quota Policy", "Id": "80d8b808-c24c-4359-24cf-08d7adfc11e3", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "OrganizationName": "testsiem.onmicrosoft.com", "Workload": "Exchange", "Parameters": [{"Name": "Force", "Value": "True"}, {"Name": "UMGrammar", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "MaxSendSize", "Value": "1 GB (1,073,741,824 bytes)"}, {"Name": "MailRouting", "Value": "True"}, {"Name": "MessageTracking", "Value": "True"}, {"Name": "OMEncryption", "Value": "True"}, {"Name": "OABGen", "Value": "True"}, {"Name": "ClientExtensions", "Value": "True"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}"}, {"Name": "GMGen", "Value": "True"}, {"Name": "SuiteServiceStorage", "Value": "True"}], "UserType": 3, "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "CreationTime": "2020-02-07T20:48:42", "ClientAppId": "", "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}", "Id": "27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "Version": 1, "ClientAppId": "", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "AppId": "", "CreationTime": "2020-02-10T07:37:16", "OrganizationName": "testsiem.onmicrosoft.com", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Workload": "Exchange", "ResultStatus": "True", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "c6db95ea-9eae-4b58-d692-08d7adfc0d98", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "Version": 1, "ClientAppId": "", "ObjectId": "testsiem.onmicrosoft.com\\Recipient Quota Policy", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "CreationTime": "2020-02-07T20:49:52", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "IgnoreDehydratedFlag", "Value": "True"}, {"Name": "Identity", "Value": "testsiem.onmicrosoft.com\\Recipient Quota Policy"}, {"Name": "PublicFolderHierarchyMailboxCountQuota", "Value": "100"}], "UserType": 3, "Workload": "Exchange", "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "OrganizationName": "testsiem.onmicrosoft.com", "Operation": "Set-RecipientEnforcementProvisioningPolicy", "Id": "c706f54e-1b00-43ed-5b06-08d7ac0f47a6", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "Version": 1, "ClientAppId": "", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T07:37:15", "AppId": "", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "OrganizationName": "testsiem.onmicrosoft.com", "UserType": 3, "Workload": "Exchange", "ResultStatus": "True", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "Id": "fcd82149-fc1c-4866-e16d-08d7adfc0cff", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "Version": 1, "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", "Parameters": [{"Name": "ProhibitSendReceiveQuota", "Value": "10 GB (10,737,418,240 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "Management", "Value": "True"}, {"Name": "Force", "Value": "True"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "DisplayName", "Value": "Microsoft Exchange Migration"}, {"Name": "IssueWarningQuota", "Value": "9 GB (9,663,676,416 bytes)"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "Migration", "Value": "True"}, {"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "ProhibitSendQuota", "Value": "10 GB (10,737,418,240 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136"}, {"Name": "Arbitration", "Value": "True"}], "UserType": 3, "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "OrganizationName": "testsiem.onmicrosoft.com", "ClientAppId": "", "Workload": "Exchange", "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "e79cb83c-25b7-4777-57f0-08d7ac0f1f74", "CreationTime": "2020-02-07T20:48:44", "RecordType": 1} +{"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "Version": 1, "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "ClientAppId": "", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ExternalAccess": true, "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "OrganizationName": "testsiem.onmicrosoft.com", "Parameters": [{"Name": "RecoverableItemsQuota", "Value": "30 GB (32,212,254,720 bytes)"}, {"Name": "Force", "Value": "True"}, {"Name": "Arbitration", "Value": "True"}, {"Name": "QuarantineMessageStore", "Value": "True"}, {"Name": "ProhibitSendQuota", "Value": "99 GB (106,300,440,576 bytes)"}, {"Name": "HiddenFromAddressListsEnabled", "Value": "True"}, {"Name": "SCLDeleteEnabled", "Value": "False"}, {"Name": "SCLQuarantineEnabled", "Value": "False"}, {"Name": "SCLRejectEnabled", "Value": "False"}, {"Name": "UseDatabaseQuotaDefaults", "Value": "False"}, {"Name": "RecoverableItemsWarningQuota", "Value": "20 GB (21,474,836,480 bytes)"}, {"Name": "IssueWarningQuota", "Value": "90 GB (96,636,764,160 bytes)"}, {"Name": "Identity", "Value": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}"}, {"Name": "ProhibitSendReceiveQuota", "Value": "100 GB (107,374,182,400 bytes)"}, {"Name": "SCLJunkEnabled", "Value": "False"}], "UserType": 3, "Workload": "Exchange", "ResultStatus": "True", "AppId": "", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "e9e580ee-ac04-436f-9214-08d7adfc0d8b", "CreationTime": "2020-02-10T07:37:16", "RecordType": 1} diff --git a/x-pack/filebeat/module/o365/audit/test/01-exchange-admin.log-expected.json b/x-pack/filebeat/module/o365/audit/test/01-exchange-admin.log-expected.json new file mode 100644 index 000000000000..43ed055dad6b --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/01-exchange-admin.log-expected.json @@ -0,0 +1,5010 @@ +[ + { + "@timestamp": "2020-02-07T20:49:49.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "1c7412a6-858d-49ff-3f93-08d7ac0f45bf", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 0, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:49", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "1c7412a6-858d-49ff-3f93-08d7ac0f45bf", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:14.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "6c3454e1-1a13-411b-bed1-08d7adfc0c09", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 980, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:14", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "6c3454e1-1a13-411b-bed1-08d7adfc0c09", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:03.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "b5131b23-3efb-481a-c05b-08d7ac0f2a82", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 2735, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:03", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "b5131b23-3efb-481a-c05b-08d7ac0f2a82", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:09.000Z", + "event.action": "Install-DefaultSharingPolicy", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "ef597809-1c52-4a85-7cce-08d7adfc0939", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 4490, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:09", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "ef597809-1c52-4a85-7cce-08d7adfc0939", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\2c6709f0-beaf-4ffd-99ea-d02c796c25d3", + "o365.audit.Operation": "Install-DefaultSharingPolicy", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Organization": "testsiem.onmicrosoft.com", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:09.000Z", + "event.action": "Install-AdminAuditLogConfig", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "362ff802-6df6-47e5-09a2-08d7adfc095b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 5269, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:09", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "362ff802-6df6-47e5-09a2-08d7adfc095b", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", + "o365.audit.Operation": "Install-AdminAuditLogConfig", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Organization": "testsiem.onmicrosoft.com", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:13.000Z", + "event.action": "Set-TransportConfig", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "ea769bfc-fa67-465c-767a-08d7adfc0b7b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 6035, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:13", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "ea769bfc-fa67-465c-767a-08d7adfc0b7b", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", + "o365.audit.Operation": "Set-TransportConfig", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "testsiem.onmicrosoft.com", + "o365.audit.Parameters.OrganizationFederatedMailbox": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:43.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "168019d2-1e8a-4394-e90b-08d7ac0f1e69", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 6914, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:43", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "168019d2-1e8a-4394-e90b-08d7ac0f1e69", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}", + "o365.audit.Parameters.UMDataStorage": "True", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:34.000Z", + "event.action": "Set-OwaMailboxPolicy", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "0d7995da-038f-40d9-2765-08d7ac0f3d4d", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 7955, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:34", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "0d7995da-038f-40d9-2765-08d7ac0f3d4d", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\OwaMailboxPolicy-Default", + "o365.audit.Operation": "Set-OwaMailboxPolicy", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Identity": "testsiem.onmicrosoft.com\\OwaMailboxPolicy-Default", + "o365.audit.Parameters.InstantMessagingType": "Ocs", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:20.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 8743, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:20", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:17.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "2202ec45-7abc-49dd-e35e-08d7adfc0e15", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 10498, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:17", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "2202ec45-7abc-49dd-e35e-08d7adfc0e15", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:04.000Z", + "event.action": "Enable-AddressListPaging", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "a0063917-bb25-4c17-fe2e-08d7ac0f0769", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 12253, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:04", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "a0063917-bb25-4c17-fe2e-08d7ac0f0769", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com", + "o365.audit.Operation": "Enable-AddressListPaging", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DoNotUpdateRecipients": "True", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:58.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "a324e83b-d1a3-4855-db2a-08d7ac0f277b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 13107, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:58", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "a324e83b-d1a3-4855-db2a-08d7ac0f277b", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:15.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "ebda487f-6177-432a-e91d-08d7adfc0d0d", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 14862, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:15", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "ebda487f-6177-432a-e91d-08d7adfc0d0d", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:09.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "7dafe4a3-487a-46ec-dadc-08d7ac0f2e06", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 16617, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:09", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "7dafe4a3-487a-46ec-dadc-08d7ac0f2e06", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:15.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "7b5e608f-0a09-4251-8922-08d7adfc0d15", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 18372, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:15", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "7b5e608f-0a09-4251-8922-08d7adfc0d15", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:09.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "7dafe4a3-487a-46ec-dadc-08d7ac0f2e06", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 20127, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:09", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "7dafe4a3-487a-46ec-dadc-08d7ac0f2e06", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:18.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "a4912729-9b49-43b3-d21f-08d7adfc0e8e", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 21882, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:18", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "a4912729-9b49-43b3-d21f-08d7adfc0e8e", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.TenantAllowBlockLists": "True", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:55.000Z", + "event.action": "Set-TenantObjectVersion", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "514d0e07-410f-469c-a7f9-08d7ac0f496e", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 23638, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:55", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "514d0e07-410f-469c-a7f9-08d7ac0f496e", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com", + "o365.audit.Operation": "Set-TenantObjectVersion", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:13.000Z", + "event.action": "Set-TransportConfig", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "ea769bfc-fa67-465c-767a-08d7adfc0b7b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 24439, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:13", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "ea769bfc-fa67-465c-767a-08d7adfc0b7b", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", + "o365.audit.Operation": "Set-TransportConfig", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "testsiem.onmicrosoft.com", + "o365.audit.Parameters.OrganizationFederatedMailbox": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:08.000Z", + "event.action": "Set-TransportConfig", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "e022fa0d-13b2-4314-b707-08d7adfc0868", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 25318, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:08", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "e022fa0d-13b2-4314-b707-08d7adfc0868", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", + "o365.audit.Operation": "Set-TransportConfig", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", + "o365.audit.Parameters.SupervisionTags": "Reject;Allow", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:55.000Z", + "event.action": "Set-TenantObjectVersion", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "514d0e07-410f-469c-a7f9-08d7ac0f496e", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 26189, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:55", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "514d0e07-410f-469c-a7f9-08d7ac0f496e", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com", + "o365.audit.Operation": "Set-TenantObjectVersion", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:52.000Z", + "event.action": "Set-TransportConfig", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "8a3c4f54-f2de-4717-dd56-08d7ac0f23be", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 26990, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:52", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "8a3c4f54-f2de-4717-dd56-08d7ac0f23be", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", + "o365.audit.Operation": "Set-TransportConfig", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "testsiem.onmicrosoft.com", + "o365.audit.Parameters.OrganizationFederatedMailbox": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:49.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "9eb764a6-fee5-4c3a-6adc-08d7ac0f220f", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 27869, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:49", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "9eb764a6-fee5-4c3a-6adc-08d7ac0f220f", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.OMEncryptionStore": "True", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:18.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "a4912729-9b49-43b3-d21f-08d7adfc0e8e", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 29609, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:18", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "a4912729-9b49-43b3-d21f-08d7adfc0e8e", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.TenantAllowBlockLists": "True", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:56.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "d83e97f0-951c-4ccc-630e-08d7ac0f267e", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 31365, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:56", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "d83e97f0-951c-4ccc-630e-08d7ac0f267e", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:17.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 33120, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:17", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:57.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "165a283d-6f9b-4dc2-1b86-08d7ac0f273c", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 34875, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:57", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "165a283d-6f9b-4dc2-1b86-08d7ac0f273c", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:16.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "979931d3-c99d-45b1-14e1-08d7ac0f3209", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 36630, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:16", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "979931d3-c99d-45b1-14e1-08d7ac0f3209", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:20.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "4bddac31-664e-4432-d181-08d7ac0f34d2", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 38385, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:20", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "4bddac31-664e-4432-d181-08d7ac0f34d2", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:14.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "4d2e1010-489d-4aa0-e300-08d7ac0f314c", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 40140, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:14", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "4d2e1010-489d-4aa0-e300-08d7ac0f314c", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:44.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "e79cb83c-25b7-4777-57f0-08d7ac0f1f74", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 41895, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:44", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "e79cb83c-25b7-4777-57f0-08d7ac0f1f74", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.DisplayName": "Microsoft Exchange Migration", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", + "o365.audit.Parameters.IssueWarningQuota": "9 GB (9,663,676,416 bytes)", + "o365.audit.Parameters.Management": "True", + "o365.audit.Parameters.Migration": "True", + "o365.audit.Parameters.ProhibitSendQuota": "10 GB (10,737,418,240 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:14.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "ee2a5c48-f068-4672-3e34-08d7adfc0bf4", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 43719, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:14", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "ee2a5c48-f068-4672-3e34-08d7adfc0bf4", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:14.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "d3533d4d-f62f-4731-d0c9-08d7adfc0c7b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 45474, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:14", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "d3533d4d-f62f-4731-d0c9-08d7adfc0c7b", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:20.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 47229, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:20", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:08.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "bc03d223-966c-4e33-6cf7-08d7ac0f2d88", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 48984, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:08", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "bc03d223-966c-4e33-6cf7-08d7ac0f2d88", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:20.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 50739, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:20", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:09.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "7a500a7f-cc56-4dfd-d740-08d7ac0f2e45", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 52494, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:09", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "7a500a7f-cc56-4dfd-d740-08d7ac0f2e45", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:10.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "6047e3da-8661-44a4-6fd2-08d7ac0f2e85", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 54249, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:10", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "6047e3da-8661-44a4-6fd2-08d7ac0f2e85", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:21.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 56004, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:21", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:14.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "d16f181c-257c-4d40-45e1-08d7adfc0c02", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 57759, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:14", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "d16f181c-257c-4d40-45e1-08d7adfc0c02", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:42.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 59514, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:42", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.ClientExtensions": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.GMGen": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}", + "o365.audit.Parameters.MailRouting": "True", + "o365.audit.Parameters.MaxSendSize": "1 GB (1,073,741,824 bytes)", + "o365.audit.Parameters.MessageTracking": "True", + "o365.audit.Parameters.OABGen": "True", + "o365.audit.Parameters.OMEncryption": "True", + "o365.audit.Parameters.SuiteServiceStorage": "True", + "o365.audit.Parameters.UMGrammar": "True", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:55.000Z", + "event.action": "Set-AdminAuditLogConfig", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "0caecd44-0161-44e5-0e45-08d7ac0f49d6", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 60916, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:55", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "0caecd44-0161-44e5-0e45-08d7ac0f49d6", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", + "o365.audit.Operation": "Set-AdminAuditLogConfig", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.AdminAuditLogEnabled": "True", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", + "o365.audit.Parameters.IgnoreDehydratedFlag": "True", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:52.000Z", + "event.action": "Set-TransportConfig", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "fd804781-7d7f-4d3a-1ef0-08d7ac0f47e4", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 61845, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:52", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "fd804781-7d7f-4d3a-1ef0-08d7ac0f47e4", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", + "o365.audit.Operation": "Set-TransportConfig", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.HygieneSuite": "Premium", + "o365.audit.Parameters.Identity": "testsiem.onmicrosoft.com", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:52.000Z", + "event.action": "Set-TransportConfig", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "8a3c4f54-f2de-4717-dd56-08d7ac0f23be", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 62639, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:52", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "8a3c4f54-f2de-4717-dd56-08d7ac0f23be", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", + "o365.audit.Operation": "Set-TransportConfig", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "testsiem.onmicrosoft.com", + "o365.audit.Parameters.OrganizationFederatedMailbox": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:06.000Z", + "event.action": "New-ExchangeAssistanceConfig", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "627aa8ff-1411-475d-d202-08d7ac0f08a5", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 63518, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:06", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "627aa8ff-1411-475d-d202-08d7ac0f08a5", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\ExchangeAssistance", + "o365.audit.Operation": "New-ExchangeAssistanceConfig", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.IgnoreDehydratedFlag": "True", + "o365.audit.Parameters.Organization": "testsiem.onmicrosoft.com", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:12.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "425128e3-4281-42f6-4ec7-08d7adfc0acd", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 64330, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:12", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "425128e3-4281-42f6-4ec7-08d7adfc0acd", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.DisplayName": "Microsoft Exchange Migration", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", + "o365.audit.Parameters.IssueWarningQuota": "9 GB (9,663,676,416 bytes)", + "o365.audit.Parameters.Management": "True", + "o365.audit.Parameters.Migration": "True", + "o365.audit.Parameters.ProhibitSendQuota": "10 GB (10,737,418,240 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:18.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "a4912729-9b49-43b3-d21f-08d7adfc0e8e", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 66154, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:18", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "a4912729-9b49-43b3-d21f-08d7adfc0e8e", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.TenantAllowBlockLists": "True", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:21.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 67910, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:21", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:15.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "8126fd52-b16b-45c5-6aff-08d7adfc0c97", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 69665, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:15", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "8126fd52-b16b-45c5-6aff-08d7adfc0c97", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:14.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "70f24b65-0224-473b-49b8-08d7adfc0c83", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 71420, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:14", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "70f24b65-0224-473b-49b8-08d7adfc0c83", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:17.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "515c88f2-2cbf-4214-2d9b-08d7adfc0e0f", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 73175, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:17", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "515c88f2-2cbf-4214-2d9b-08d7adfc0e0f", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:57.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "02c7f756-40e0-4c47-d49d-08d7ac0f26bd", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 74930, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:57", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "02c7f756-40e0-4c47-d49d-08d7ac0f26bd", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:02.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "40786a66-fbd5-4a24-d9af-08d7ac0f2a42", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 76685, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:02", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "40786a66-fbd5-4a24-d9af-08d7ac0f2a42", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:15.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "ebda487f-6177-432a-e91d-08d7adfc0d0d", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 78440, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:15", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "ebda487f-6177-432a-e91d-08d7adfc0d0d", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:51.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "93d5f028-263c-45f1-dcf9-08d7ac0f2378", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 80195, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:51", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "93d5f028-263c-45f1-dcf9-08d7ac0f2378", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.DisplayName": "Microsoft Exchange", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042", + "o365.audit.Parameters.IssueWarningQuota": "9 GB (9,663,676,416 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "10 GB (10,737,418,240 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:17.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "1eea5379-4c86-4d6f-00cf-08d7adfc0e23", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 81938, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:17", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "1eea5379-4c86-4d6f-00cf-08d7adfc0e23", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:17.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "2202ec45-7abc-49dd-e35e-08d7adfc0e15", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 83693, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:17", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "2202ec45-7abc-49dd-e35e-08d7adfc0e15", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:23.000Z", + "event.action": "Set-RecipientEnforcementProvisioningPolicy", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "80d8b808-c24c-4359-24cf-08d7adfc11e3", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 85448, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:23", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "80d8b808-c24c-4359-24cf-08d7adfc11e3", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\Recipient Quota Policy", + "o365.audit.Operation": "Set-RecipientEnforcementProvisioningPolicy", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "testsiem.onmicrosoft.com\\Recipient Quota Policy", + "o365.audit.Parameters.IgnoreDehydratedFlag": "True", + "o365.audit.Parameters.PublicFolderHierarchyMailboxCountQuota": "100", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:24.000Z", + "event.action": "Set-AdminAuditLogConfig", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "9edbf9fe-f844-401f-e9ec-08d7adfc1242", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 86366, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:24", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "9edbf9fe-f844-401f-e9ec-08d7adfc1242", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", + "o365.audit.Operation": "Set-AdminAuditLogConfig", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.AdminAuditLogEnabled": "True", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", + "o365.audit.Parameters.IgnoreDehydratedFlag": "True", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:15.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "7b5e608f-0a09-4251-8922-08d7adfc0d15", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 87295, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:15", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "7b5e608f-0a09-4251-8922-08d7adfc0d15", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:17.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 89050, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:17", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:24.000Z", + "event.action": "Set-AdminAuditLogConfig", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "9edbf9fe-f844-401f-e9ec-08d7adfc1242", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 90805, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:24", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "9edbf9fe-f844-401f-e9ec-08d7adfc1242", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", + "o365.audit.Operation": "Set-AdminAuditLogConfig", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.AdminAuditLogEnabled": "True", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", + "o365.audit.Parameters.IgnoreDehydratedFlag": "True", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:34.000Z", + "event.action": "Set-OwaMailboxPolicy", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "0d7995da-038f-40d9-2765-08d7ac0f3d4d", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 91734, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:34", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "0d7995da-038f-40d9-2765-08d7ac0f3d4d", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\OwaMailboxPolicy-Default", + "o365.audit.Operation": "Set-OwaMailboxPolicy", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Identity": "testsiem.onmicrosoft.com\\OwaMailboxPolicy-Default", + "o365.audit.Parameters.InstantMessagingType": "Ocs", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:12.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "425128e3-4281-42f6-4ec7-08d7adfc0acd", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 92522, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:12", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "425128e3-4281-42f6-4ec7-08d7adfc0acd", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.DisplayName": "Microsoft Exchange Migration", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", + "o365.audit.Parameters.IssueWarningQuota": "9 GB (9,663,676,416 bytes)", + "o365.audit.Parameters.Management": "True", + "o365.audit.Parameters.Migration": "True", + "o365.audit.Parameters.ProhibitSendQuota": "10 GB (10,737,418,240 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:14.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "6ddabbf8-4b7c-4982-2683-08d7adfc0c10", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 94346, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:14", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "6ddabbf8-4b7c-4982-2683-08d7adfc0c10", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:13.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "e6a88958-ff2a-4e9b-d681-08d7adfc0b73", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 96101, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:13", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "e6a88958-ff2a-4e9b-d681-08d7adfc0b73", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.DisplayName": "Microsoft Exchange", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042", + "o365.audit.Parameters.IssueWarningQuota": "9 GB (9,663,676,416 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "10 GB (10,737,418,240 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:02.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "f580aae6-d0d5-4204-1a13-08d7ac0f2a03", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 97844, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:02", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "f580aae6-d0d5-4204-1a13-08d7ac0f2a03", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:57.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "165a283d-6f9b-4dc2-1b86-08d7ac0f273c", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 99599, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:57", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "165a283d-6f9b-4dc2-1b86-08d7ac0f273c", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:15.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "2db154f6-63ae-4a31-c548-08d7adfc0d1d", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 101354, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:15", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "2db154f6-63ae-4a31-c548-08d7adfc0d1d", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:21.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 103109, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:21", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:17.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "2202ec45-7abc-49dd-e35e-08d7adfc0e15", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 104864, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:17", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "2202ec45-7abc-49dd-e35e-08d7adfc0e15", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:04.000Z", + "event.action": "Enable-AddressListPaging", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "a0063917-bb25-4c17-fe2e-08d7ac0f0769", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 106619, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:04", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "a0063917-bb25-4c17-fe2e-08d7ac0f0769", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com", + "o365.audit.Operation": "Enable-AddressListPaging", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DoNotUpdateRecipients": "True", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:55.000Z", + "event.action": "Set-AdminAuditLogConfig", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "0caecd44-0161-44e5-0e45-08d7ac0f49d6", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 107473, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:55", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "0caecd44-0161-44e5-0e45-08d7ac0f49d6", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", + "o365.audit.Operation": "Set-AdminAuditLogConfig", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.AdminAuditLogEnabled": "True", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", + "o365.audit.Parameters.IgnoreDehydratedFlag": "True", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:24.000Z", + "event.action": "Set-ExchangeAssistanceConfig", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "2cb36c1c-1368-4483-9801-08d7adfc11fe", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 108402, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:24", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "2cb36c1c-1368-4483-9801-08d7adfc11fe", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\ExchangeAssistance15", + "o365.audit.Operation": "Set-ExchangeAssistanceConfig", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Identity": "testsiem.onmicrosoft.com", + "o365.audit.Parameters.PrivacyLinkDisplayEnabled": "True", + "o365.audit.Parameters.PrivacyStatementURL": "http://go.microsoft.com/fwlink/?LinkID=259417", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:23.000Z", + "event.action": "Set-RecipientEnforcementProvisioningPolicy", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "80d8b808-c24c-4359-24cf-08d7adfc11e3", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 109265, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:23", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "80d8b808-c24c-4359-24cf-08d7adfc11e3", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\Recipient Quota Policy", + "o365.audit.Operation": "Set-RecipientEnforcementProvisioningPolicy", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "testsiem.onmicrosoft.com\\Recipient Quota Policy", + "o365.audit.Parameters.IgnoreDehydratedFlag": "True", + "o365.audit.Parameters.PublicFolderHierarchyMailboxCountQuota": "100", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:24.000Z", + "event.action": "Set-TenantObjectVersion", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "a9fb5fce-4ce4-43eb-f429-08d7adfc122c", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 110183, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:24", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "a9fb5fce-4ce4-43eb-f429-08d7adfc122c", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com", + "o365.audit.Operation": "Set-TenantObjectVersion", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:49.000Z", + "event.action": "Add-MailboxPermission", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "5f84ceaa-e6df-4ba1-1085-08d7ac0f4646", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 110984, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:49", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "5f84ceaa-e6df-4ba1-1085-08d7ac0f4646", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", + "o365.audit.Operation": "Add-MailboxPermission", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.AccessRights": "FullAccess", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", + "o365.audit.Parameters.User": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:49.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "1c7412a6-858d-49ff-3f93-08d7ac0f45bf", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 112168, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:49", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "1c7412a6-858d-49ff-3f93-08d7ac0f45bf", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:55.000Z", + "event.action": "Set-AdminAuditLogConfig", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "0caecd44-0161-44e5-0e45-08d7ac0f49d6", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 113148, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:55", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "0caecd44-0161-44e5-0e45-08d7ac0f49d6", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", + "o365.audit.Operation": "Set-AdminAuditLogConfig", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.AdminAuditLogEnabled": "True", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", + "o365.audit.Parameters.IgnoreDehydratedFlag": "True", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:12.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "7386959b-a0d0-459e-baf8-08d7adfc0b4b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 114077, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:12", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "7386959b-a0d0-459e-baf8-08d7adfc0b4b", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.OMEncryptionStore": "True", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:15.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "7b5e608f-0a09-4251-8922-08d7adfc0d15", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 115817, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:15", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "7b5e608f-0a09-4251-8922-08d7adfc0d15", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:03.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "96b98335-ab19-4e22-31e0-08d7ac0f2ac2", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 117572, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:03", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "96b98335-ab19-4e22-31e0-08d7ac0f2ac2", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:21.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 119327, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:21", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:04.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "5cd5fc38-5b48-47d6-2e47-08d7ac0f2b01", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 121082, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:04", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "5cd5fc38-5b48-47d6-2e47-08d7ac0f2b01", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:21.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "ff48ffeb-5c2a-468f-9113-08d7ac0f3512", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 122837, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:21", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "ff48ffeb-5c2a-468f-9113-08d7ac0f3512", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:14.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "d16f181c-257c-4d40-45e1-08d7adfc0c02", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 124592, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:14", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "d16f181c-257c-4d40-45e1-08d7adfc0c02", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:57.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "02c7f756-40e0-4c47-d49d-08d7ac0f26bd", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 126347, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:57", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "02c7f756-40e0-4c47-d49d-08d7ac0f26bd", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:21.000Z", + "event.action": "Add-MailboxPermission", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "86a8ddaf-15d2-44b4-62d5-08d7adfc1062", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 128102, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:21", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "86a8ddaf-15d2-44b4-62d5-08d7adfc1062", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", + "o365.audit.Operation": "Add-MailboxPermission", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.AccessRights": "FullAccess", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", + "o365.audit.Parameters.User": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:57.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "8b544cbd-f42b-4910-82ef-08d7ac0f26fc", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 129286, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:57", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "8b544cbd-f42b-4910-82ef-08d7ac0f26fc", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:13.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "e6a88958-ff2a-4e9b-d681-08d7adfc0b73", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 131041, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:13", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "e6a88958-ff2a-4e9b-d681-08d7adfc0b73", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.DisplayName": "Microsoft Exchange", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042", + "o365.audit.Parameters.IssueWarningQuota": "9 GB (9,663,676,416 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "10 GB (10,737,418,240 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:07.000Z", + "event.action": "Enable-AddressListPaging", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "d7134fa4-2e25-4a7d-d84d-08d7adfc0802", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 132784, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:07", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "d7134fa4-2e25-4a7d-d84d-08d7adfc0802", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com", + "o365.audit.Operation": "Enable-AddressListPaging", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DoNotUpdateRecipients": "True", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:14.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "ee2a5c48-f068-4672-3e34-08d7adfc0bf4", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 133638, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:14", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "ee2a5c48-f068-4672-3e34-08d7adfc0bf4", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:32.000Z", + "event.action": "Install-ResourceConfig", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "060e0f74-72a7-40d1-30fa-08d7ac0f17d8", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 135393, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:32", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "060e0f74-72a7-40d1-30fa-08d7ac0f17d8", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\Resource Schema", + "o365.audit.Operation": "Install-ResourceConfig", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Organization": "testsiem.onmicrosoft.com", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:23.000Z", + "event.action": "Set-RecipientEnforcementProvisioningPolicy", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "80d8b808-c24c-4359-24cf-08d7adfc11e3", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 136145, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:23", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "80d8b808-c24c-4359-24cf-08d7adfc11e3", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\Recipient Quota Policy", + "o365.audit.Operation": "Set-RecipientEnforcementProvisioningPolicy", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "testsiem.onmicrosoft.com\\Recipient Quota Policy", + "o365.audit.Parameters.IgnoreDehydratedFlag": "True", + "o365.audit.Parameters.PublicFolderHierarchyMailboxCountQuota": "100", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:42.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 137063, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:42", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.ClientExtensions": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.GMGen": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}", + "o365.audit.Parameters.MailRouting": "True", + "o365.audit.Parameters.MaxSendSize": "1 GB (1,073,741,824 bytes)", + "o365.audit.Parameters.MessageTracking": "True", + "o365.audit.Parameters.OABGen": "True", + "o365.audit.Parameters.OMEncryption": "True", + "o365.audit.Parameters.SuiteServiceStorage": "True", + "o365.audit.Parameters.UMGrammar": "True", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:16.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "c6db95ea-9eae-4b58-d692-08d7adfc0d98", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 138465, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:16", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "c6db95ea-9eae-4b58-d692-08d7adfc0d98", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:49:52.000Z", + "event.action": "Set-RecipientEnforcementProvisioningPolicy", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "c706f54e-1b00-43ed-5b06-08d7ac0f47a6", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 140220, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:49:52", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "c706f54e-1b00-43ed-5b06-08d7ac0f47a6", + "o365.audit.ObjectId": "testsiem.onmicrosoft.com\\Recipient Quota Policy", + "o365.audit.Operation": "Set-RecipientEnforcementProvisioningPolicy", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.DomainController": "", + "o365.audit.Parameters.Identity": "testsiem.onmicrosoft.com\\Recipient Quota Policy", + "o365.audit.Parameters.IgnoreDehydratedFlag": "True", + "o365.audit.Parameters.PublicFolderHierarchyMailboxCountQuota": "100", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:15.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "fcd82149-fc1c-4866-e16d-08d7adfc0cff", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 141138, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:15", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "fcd82149-fc1c-4866-e16d-08d7adfc0cff", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-07T20:48:44.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "e79cb83c-25b7-4777-57f0-08d7ac0f1f74", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 142893, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-07T20:48:44", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "e79cb83c-25b7-4777-57f0-08d7ac0f1f74", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.DisplayName": "Microsoft Exchange Migration", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", + "o365.audit.Parameters.IssueWarningQuota": "9 GB (9,663,676,416 bytes)", + "o365.audit.Parameters.Management": "True", + "o365.audit.Parameters.Migration": "True", + "o365.audit.Parameters.ProhibitSendQuota": "10 GB (10,737,418,240 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + }, + { + "@timestamp": "2020-02-10T07:37:16.000Z", + "event.action": "Set-Mailbox", + "event.category": "web", + "event.code": "ExchangeAdmin", + "event.dataset": "o365.audit", + "event.id": "e9e580ee-ac04-436f-9214-08d7adfc0d8b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 144717, + "o365.audit.AppId": "", + "o365.audit.ClientAppId": "", + "o365.audit.CreationTime": "2020-02-10T07:37:16", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "e9e580ee-ac04-436f-9214-08d7adfc0d8b", + "o365.audit.ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "o365.audit.Operation": "Set-Mailbox", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", + "o365.audit.Parameters.Arbitration": "True", + "o365.audit.Parameters.Force": "True", + "o365.audit.Parameters.HiddenFromAddressListsEnabled": "True", + "o365.audit.Parameters.Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "o365.audit.Parameters.IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "o365.audit.Parameters.ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "o365.audit.Parameters.ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "o365.audit.Parameters.QuarantineMessageStore": "True", + "o365.audit.Parameters.RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "o365.audit.Parameters.RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "o365.audit.Parameters.SCLDeleteEnabled": "False", + "o365.audit.Parameters.SCLJunkEnabled": "False", + "o365.audit.Parameters.SCLQuarantineEnabled": "False", + "o365.audit.Parameters.SCLRejectEnabled": "False", + "o365.audit.Parameters.UseDatabaseQuotaDefaults": "False", + "o365.audit.RecordType": 1, + "o365.audit.ResultStatus": "True", + "o365.audit.UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "o365.audit.UserType": 3, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "server.address": "HE1PR0102MB3228 (15.20.2707.017)", + "service.type": "o365", + "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/audit/test/02-exchange-item.log b/x-pack/filebeat/module/o365/audit/test/02-exchange-item.log new file mode 100644 index 000000000000..4343b23e7c33 --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/02-exchange-item.log @@ -0,0 +1,9 @@ +{"OrganizationName":"testsiem.onmicrosoft.com","UserKey":"S-1-5-18","MailboxGuid":"26286ffa-073d-45ff-9fe9-539891984d69","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"Create","ClientIPAddress":"::1","Item":{"InternetMessageId":"","IsRecord":false,"Id":"RgAAAACklF6sEsJgSK/ulVd531/WBwCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAACzgXIUnq3lQqXFeCmxHwmHAAAAABULAAAJ","Attachments":"warming_email_03_2017_calendar.png (599b); warming_email_03_2017_conversation.png (614b); warming_email_03_2017_links.png (1403b); google_play_store_badge.png (4824b); apple_store_badge.png (4446b); windows_store_badge.png (3681b); warming_email_03_2017_files.png (809b); warming_email_03_2017_sharePoint.png (1432b)","ParentFolder":{"Path":"\\Inbox","Id":"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAAAB"},"Subject":"The new SIEMTest group is ready"},"LogonUserSid":"S-1-5-18","OriginatingServer":"AM6PR01MB4535 (15.20.2729.032)\n","RecordType":2,"Version":1,"ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","MailboxOwnerUPN":"SIEMTest@testsiem.onmicrosoft.com","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-3422892061-1135328251-2670905592-26680073","ResultStatus":"Succeeded","ExternalAccess":true,"LogonType":1,"ClientIP":"::1","Workload":"Exchange","InternalLogonType":1,"UserId":"S-1-5-18","CreationTime":"2020-02-17T17:12:03","Id":"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226","UserType":2} +{"OrganizationName":"testsiem.onmicrosoft.com","UserKey":"S-1-5-18","MailboxGuid":"778e6fd9-b5d5-4431-a10f-245bde6e0cb8","Operation":"Create","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","ClientIPAddress":"::1","Item":{"InternetMessageId":"","IsRecord":false,"Id":"RgAAAABQ7FIOAzxlR4hKCRQRbTbvBwBTdQb34omtRrZGvP+4ONQkAAAAAAEMAABTdQb34omtRrZGvP+4ONQkAAAAAA0lAAAJ","ParentFolder":{"Path":"\\Inbox","Id":"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAEMAAAB"},"Attachments":"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)","Subject":"The new All Company group is ready"},"LogonUserSid":"S-1-5-18","RecordType":2,"OriginatingServer":"DB3PR0102MB3500 (15.20.2729.032)\n","Version":1,"ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","MailboxOwnerUPN":"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-3422892061-1135328251-2670905592-26679883","ResultStatus":"Succeeded","LogonType":1,"ExternalAccess":true,"ClientIP":"::1","Workload":"Exchange","InternalLogonType":1,"UserId":"S-1-5-18","CreationTime":"2020-02-17T08:53:46","Id":"c0790552-9989-4e91-cba4-08d7b386e642","UserType":2} +{"OrganizationName":"testsiem.onmicrosoft.com","UserKey":"S-1-5-18","MailboxGuid":"685170f5-2238-470d-824b-239a02afafbd","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"Create","ClientIPAddress":"::1","Item":{"InternetMessageId":"","IsRecord":false,"Id":"RgAAAABkkJvTy6NaRYV8EL+vMtzZBwAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAk6unHVumCRJNhRrAMRwYLAAAAAAk9AAAJ","ParentFolder":{"Path":"\\Inbox","Id":"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAB"},"Attachments":"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)","Subject":"The new All Company group is ready"},"LogonUserSid":"S-1-5-18","RecordType":2,"OriginatingServer":"DB7PR01MB4428 (15.20.2707.031)\n","Version":1,"ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","MailboxOwnerUPN":"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-3422892061-1135328251-2670905592-26679882","ResultStatus":"Succeeded","ExternalAccess":true,"LogonType":1,"ClientIP":"::1","Workload":"Exchange","InternalLogonType":1,"UserId":"S-1-5-18","CreationTime":"2020-02-17T08:53:31","Id":"c6b58ed7-a54a-47cf-a301-08d7b386dd7c","UserType":2} +{"OrganizationName":"testsiem.onmicrosoft.com","UserKey":"S-1-5-18","MailboxGuid":"778e6fd9-b5d5-4431-a10f-245bde6e0cb8","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"ModifyFolderPermissions","ClientIPAddress":"::1","Item":{"Id":"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC","ParentFolder":{"Path":"\\Calendar","MemberRights":"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-2005823449-1144108501-1529089953-3087822558-1","Id":"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC","MemberUpn":"Member@local","Name":"Calendar"}},"LogonUserSid":"S-1-5-18","RecordType":2,"OriginatingServer":"DB3PR0102MB3500 (15.20.2729.032)","Version":1,"ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","MailboxOwnerUPN":"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-3422892061-1135328251-2670905592-26679883","ResultStatus":"Succeeded","ExternalAccess":true,"LogonType":1,"ClientIP":"::1","Workload":"Exchange","InternalLogonType":1,"UserId":"S-1-5-18","CreationTime":"2020-02-17T08:53:41","Id":"815684be-4e52-4cb2-9242-08d7b386e333","UserType":2} +{"OrganizationName":"testsiem.onmicrosoft.com","UserKey":"S-1-5-18","MailboxGuid":"685170f5-2238-470d-824b-239a02afafbd","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"ModifyFolderPermissions","ClientIPAddress":"::1","Item":{"Id":"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC","ParentFolder":{"Path":"\\Calendar","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-1750167797-1192043064-2586004354-3182407426-0","Id":"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC","MemberUpn":"Owner@local","Name":"Calendar"}},"LogonUserSid":"S-1-5-18","RecordType":2,"OriginatingServer":"DB7PR01MB4428 (15.20.2707.031)\n","Version":1,"ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","MailboxOwnerUPN":"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-3422892061-1135328251-2670905592-26679882","ResultStatus":"Succeeded","ExternalAccess":true,"LogonType":1,"ClientIP":"::1","Workload":"Exchange","InternalLogonType":1,"UserId":"S-1-5-18","CreationTime":"2020-02-17T08:53:22","Id":"f5b56c26-18aa-4984-822e-08d7b386d7e2","UserType":2} +{"OrganizationName":"testsiem.onmicrosoft.com","UserKey":"S-1-5-18","MailboxGuid":"685170f5-2238-470d-824b-239a02afafbd","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"ModifyFolderPermissions","ClientIPAddress":"::1","Item":{"Id":"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC","ParentFolder":{"Path":"\\Calendar","MemberRights":"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-1750167797-1192043064-2586004354-3182407426-1","Id":"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC","MemberUpn":"Member@local","Name":"Calendar"}},"LogonUserSid":"S-1-5-18","OriginatingServer":"DB7PR01MB4428 (15.20.2707.031)\n","RecordType":2,"Version":1,"ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","MailboxOwnerUPN":"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-3422892061-1135328251-2670905592-26679882","ResultStatus":"Succeeded","LogonType":1,"ExternalAccess":true,"ClientIP":"::1","Workload":"Exchange","InternalLogonType":1,"UserId":"S-1-5-18","CreationTime":"2020-02-17T08:53:22","Id":"25ccad93-82ad-4742-5231-08d7b386d7e6","UserType":2} +{"OrganizationName":"testsiem.onmicrosoft.com","UserKey":"S-1-5-18","MailboxGuid":"778e6fd9-b5d5-4431-a10f-245bde6e0cb8","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"ModifyFolderPermissions","ClientIPAddress":"::1","Item":{"Id":"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC","ParentFolder":{"Path":"\\Calendar","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-2005823449-1144108501-1529089953-3087822558-0","MemberUpn":"Owner@local","Id":"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC","Name":"Calendar"}},"LogonUserSid":"S-1-5-18","OriginatingServer":"DB3PR0102MB3500 (15.20.2729.032)\n","RecordType":2,"Version":1,"ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","MailboxOwnerUPN":"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-3422892061-1135328251-2670905592-26679883","ResultStatus":"Succeeded","LogonType":1,"ExternalAccess":true,"ClientIP":"::1","Workload":"Exchange","InternalLogonType":1,"UserId":"S-1-5-18","CreationTime":"2020-02-17T08:53:41","Id":"edb9bb1f-9629-43a1-0a57-08d7b386e31c","UserType":2} +{"OrganizationName":"testsiem.onmicrosoft.com","UserKey":"S-1-5-18","MailboxGuid":"26286ffa-073d-45ff-9fe9-539891984d69","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"ModifyFolderPermissions","ClientIPAddress":"::1","Item":{"Id":"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC","ParentFolder":{"Path":"\\Calendar","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-640184314-1174341437-2555636127-1766693009-1","MemberUpn":"Member@local","Id":"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC","Name":"Calendar"}},"LogonUserSid":"S-1-5-18","OriginatingServer":"AM6PR01MB4535 (15.20.2729.032)\n","RecordType":2,"Version":1,"ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","MailboxOwnerUPN":"SIEMTest@testsiem.onmicrosoft.com","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-3422892061-1135328251-2670905592-26680073","ResultStatus":"Succeeded","LogonType":1,"ExternalAccess":true,"ClientIP":"::1","Workload":"Exchange","InternalLogonType":1,"UserId":"S-1-5-18","CreationTime":"2020-02-17T17:12:03","Id":"df63d186-b4d9-49a8-748c-08d7b3cc81fb","UserType":2} +{"OrganizationName":"testsiem.onmicrosoft.com","UserKey":"S-1-5-18","MailboxGuid":"26286ffa-073d-45ff-9fe9-539891984d69","Operation":"ModifyFolderPermissions","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","ClientIPAddress":"::1","Item":{"Id":"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC","ParentFolder":{"Path":"\\Calendar","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-640184314-1174341437-2555636127-1766693009-0","Id":"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC","MemberUpn":"Owner@local","Name":"Calendar"}},"LogonUserSid":"S-1-5-18","OriginatingServer":"AM6PR01MB4535 (15.20.2729.032)\n","RecordType":2,"Version":1,"ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","MailboxOwnerUPN":"SIEMTest@testsiem.onmicrosoft.com","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-3422892061-1135328251-2670905592-26680073","ResultStatus":"Succeeded","ExternalAccess":true,"LogonType":1,"ClientIP":"::1","Workload":"Exchange","InternalLogonType":1,"UserId":"S-1-5-18","CreationTime":"2020-02-17T17:12:03","Id":"284dfe85-ab53-48ad-0863-08d7b3cc81f7","UserType":2} diff --git a/x-pack/filebeat/module/o365/audit/test/02-exchange-item.log-expected.json b/x-pack/filebeat/module/o365/audit/test/02-exchange-item.log-expected.json new file mode 100644 index 000000000000..525e9dcf3626 --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/02-exchange-item.log-expected.json @@ -0,0 +1,533 @@ +[ + { + "@timestamp": "2020-02-17T17:12:03.000Z", + "client.address": "::1", + "client.ip": "::1", + "event.action": "Create", + "event.category": "web", + "event.code": "ExchangeItem", + "event.dataset": "o365.audit", + "event.id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 0, + "network.type": "ipv6", + "o365.audit.ClientIP": "::1", + "o365.audit.ClientIPAddress": "::1", + "o365.audit.ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "o365.audit.CreationTime": "2020-02-17T17:12:03", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", + "o365.audit.InternalLogonType": 1, + "o365.audit.Item.Attachments": "warming_email_03_2017_calendar.png (599b); warming_email_03_2017_conversation.png (614b); warming_email_03_2017_links.png (1403b); google_play_store_badge.png (4824b); apple_store_badge.png (4446b); windows_store_badge.png (3681b); warming_email_03_2017_files.png (809b); warming_email_03_2017_sharePoint.png (1432b)", + "o365.audit.Item.Id": "RgAAAACklF6sEsJgSK/ulVd531/WBwCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAACzgXIUnq3lQqXFeCmxHwmHAAAAABULAAAJ", + "o365.audit.Item.InternetMessageId": "", + "o365.audit.Item.IsRecord": false, + "o365.audit.Item.ParentFolder.Id": "LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAAAB", + "o365.audit.Item.ParentFolder.Path": "\\Inbox", + "o365.audit.Item.Subject": "The new SIEMTest group is ready", + "o365.audit.LogonType": 1, + "o365.audit.LogonUserSid": "S-1-5-18", + "o365.audit.MailboxGuid": "26286ffa-073d-45ff-9fe9-539891984d69", + "o365.audit.MailboxOwnerMasterAccountSid": "S-1-5-10", + "o365.audit.MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26680073", + "o365.audit.MailboxOwnerUPN": "SIEMTest@testsiem.onmicrosoft.com", + "o365.audit.Operation": "Create", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "AM6PR01MB4535 (15.20.2729.032)\n", + "o365.audit.RecordType": 2, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.UserId": "S-1-5-18", + "o365.audit.UserKey": "S-1-5-18", + "o365.audit.UserType": 2, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "related.ip": "::1", + "server.address": "AM6PR01MB4535 (15.20.2729.032)\n", + "service.type": "o365", + "source.ip": "::1", + "user.email": "SIEMTest@testsiem.onmicrosoft.com", + "user.id": "S-1-5-18" + }, + { + "@timestamp": "2020-02-17T08:53:46.000Z", + "client.address": "::1", + "client.ip": "::1", + "event.action": "Create", + "event.category": "web", + "event.code": "ExchangeItem", + "event.dataset": "o365.audit", + "event.id": "c0790552-9989-4e91-cba4-08d7b386e642", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 1526, + "network.type": "ipv6", + "o365.audit.ClientIP": "::1", + "o365.audit.ClientIPAddress": "::1", + "o365.audit.ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "o365.audit.CreationTime": "2020-02-17T08:53:46", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "c0790552-9989-4e91-cba4-08d7b386e642", + "o365.audit.InternalLogonType": 1, + "o365.audit.Item.Attachments": "warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)", + "o365.audit.Item.Id": "RgAAAABQ7FIOAzxlR4hKCRQRbTbvBwBTdQb34omtRrZGvP+4ONQkAAAAAAEMAABTdQb34omtRrZGvP+4ONQkAAAAAA0lAAAJ", + "o365.audit.Item.InternetMessageId": "", + "o365.audit.Item.IsRecord": false, + "o365.audit.Item.ParentFolder.Id": "LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAEMAAAB", + "o365.audit.Item.ParentFolder.Path": "\\Inbox", + "o365.audit.Item.Subject": "The new All Company group is ready", + "o365.audit.LogonType": 1, + "o365.audit.LogonUserSid": "S-1-5-18", + "o365.audit.MailboxGuid": "778e6fd9-b5d5-4431-a10f-245bde6e0cb8", + "o365.audit.MailboxOwnerMasterAccountSid": "S-1-5-10", + "o365.audit.MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26679883", + "o365.audit.MailboxOwnerUPN": "AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com", + "o365.audit.Operation": "Create", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "DB3PR0102MB3500 (15.20.2729.032)\n", + "o365.audit.RecordType": 2, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.UserId": "S-1-5-18", + "o365.audit.UserKey": "S-1-5-18", + "o365.audit.UserType": 2, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "related.ip": "::1", + "server.address": "DB3PR0102MB3500 (15.20.2729.032)\n", + "service.type": "o365", + "source.ip": "::1", + "user.email": "AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com", + "user.id": "S-1-5-18" + }, + { + "@timestamp": "2020-02-17T08:53:31.000Z", + "client.address": "::1", + "client.ip": "::1", + "event.action": "Create", + "event.category": "web", + "event.code": "ExchangeItem", + "event.dataset": "o365.audit", + "event.id": "c6b58ed7-a54a-47cf-a301-08d7b386dd7c", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 3083, + "network.type": "ipv6", + "o365.audit.ClientIP": "::1", + "o365.audit.ClientIPAddress": "::1", + "o365.audit.ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "o365.audit.CreationTime": "2020-02-17T08:53:31", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "c6b58ed7-a54a-47cf-a301-08d7b386dd7c", + "o365.audit.InternalLogonType": 1, + "o365.audit.Item.Attachments": "warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)", + "o365.audit.Item.Id": "RgAAAABkkJvTy6NaRYV8EL+vMtzZBwAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAk6unHVumCRJNhRrAMRwYLAAAAAAk9AAAJ", + "o365.audit.Item.InternetMessageId": "", + "o365.audit.Item.IsRecord": false, + "o365.audit.Item.ParentFolder.Id": "LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAB", + "o365.audit.Item.ParentFolder.Path": "\\Inbox", + "o365.audit.Item.Subject": "The new All Company group is ready", + "o365.audit.LogonType": 1, + "o365.audit.LogonUserSid": "S-1-5-18", + "o365.audit.MailboxGuid": "685170f5-2238-470d-824b-239a02afafbd", + "o365.audit.MailboxOwnerMasterAccountSid": "S-1-5-10", + "o365.audit.MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26679882", + "o365.audit.MailboxOwnerUPN": "AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com", + "o365.audit.Operation": "Create", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "DB7PR01MB4428 (15.20.2707.031)\n", + "o365.audit.RecordType": 2, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.UserId": "S-1-5-18", + "o365.audit.UserKey": "S-1-5-18", + "o365.audit.UserType": 2, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "related.ip": "::1", + "server.address": "DB7PR01MB4428 (15.20.2707.031)\n", + "service.type": "o365", + "source.ip": "::1", + "user.email": "AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com", + "user.id": "S-1-5-18" + }, + { + "@timestamp": "2020-02-17T08:53:41.000Z", + "client.address": "::1", + "client.ip": "::1", + "event.action": "ModifyFolderPermissions", + "event.category": "web", + "event.code": "ExchangeItem", + "event.dataset": "o365.audit", + "event.id": "815684be-4e52-4cb2-9242-08d7b386e333", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 4634, + "network.type": "ipv6", + "o365.audit.ClientIP": "::1", + "o365.audit.ClientIPAddress": "::1", + "o365.audit.ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "o365.audit.CreationTime": "2020-02-17T08:53:41", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "815684be-4e52-4cb2-9242-08d7b386e333", + "o365.audit.InternalLogonType": 1, + "o365.audit.Item.Id": "LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC", + "o365.audit.Item.ParentFolder.Id": "LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC", + "o365.audit.Item.ParentFolder.MemberRights": "ReadAny, Visible, FreeBusySimple, FreeBusyDetailed", + "o365.audit.Item.ParentFolder.MemberSid": "S-1-8-2005823449-1144108501-1529089953-3087822558-1", + "o365.audit.Item.ParentFolder.MemberUpn": "Member@local", + "o365.audit.Item.ParentFolder.Name": "Calendar", + "o365.audit.Item.ParentFolder.Path": "\\Calendar", + "o365.audit.LogonType": 1, + "o365.audit.LogonUserSid": "S-1-5-18", + "o365.audit.MailboxGuid": "778e6fd9-b5d5-4431-a10f-245bde6e0cb8", + "o365.audit.MailboxOwnerMasterAccountSid": "S-1-5-10", + "o365.audit.MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26679883", + "o365.audit.MailboxOwnerUPN": "AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com", + "o365.audit.Operation": "ModifyFolderPermissions", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "DB3PR0102MB3500 (15.20.2729.032)", + "o365.audit.RecordType": 2, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.UserId": "S-1-5-18", + "o365.audit.UserKey": "S-1-5-18", + "o365.audit.UserType": 2, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "related.ip": "::1", + "server.address": "DB3PR0102MB3500 (15.20.2729.032)", + "service.type": "o365", + "source.ip": "::1", + "user.email": "AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com", + "user.id": "S-1-5-18" + }, + { + "@timestamp": "2020-02-17T08:53:22.000Z", + "client.address": "::1", + "client.ip": "::1", + "event.action": "ModifyFolderPermissions", + "event.category": "web", + "event.code": "ExchangeItem", + "event.dataset": "o365.audit", + "event.id": "f5b56c26-18aa-4984-822e-08d7b386d7e2", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 5847, + "network.type": "ipv6", + "o365.audit.ClientIP": "::1", + "o365.audit.ClientIPAddress": "::1", + "o365.audit.ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "o365.audit.CreationTime": "2020-02-17T08:53:22", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "f5b56c26-18aa-4984-822e-08d7b386d7e2", + "o365.audit.InternalLogonType": 1, + "o365.audit.Item.Id": "LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC", + "o365.audit.Item.ParentFolder.Id": "LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC", + "o365.audit.Item.ParentFolder.MemberRights": "ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed", + "o365.audit.Item.ParentFolder.MemberSid": "S-1-8-1750167797-1192043064-2586004354-3182407426-0", + "o365.audit.Item.ParentFolder.MemberUpn": "Owner@local", + "o365.audit.Item.ParentFolder.Name": "Calendar", + "o365.audit.Item.ParentFolder.Path": "\\Calendar", + "o365.audit.LogonType": 1, + "o365.audit.LogonUserSid": "S-1-5-18", + "o365.audit.MailboxGuid": "685170f5-2238-470d-824b-239a02afafbd", + "o365.audit.MailboxOwnerMasterAccountSid": "S-1-5-10", + "o365.audit.MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26679882", + "o365.audit.MailboxOwnerUPN": "AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com", + "o365.audit.Operation": "ModifyFolderPermissions", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "DB7PR01MB4428 (15.20.2707.031)\n", + "o365.audit.RecordType": 2, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.UserId": "S-1-5-18", + "o365.audit.UserKey": "S-1-5-18", + "o365.audit.UserType": 2, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "related.ip": "::1", + "server.address": "DB7PR01MB4428 (15.20.2707.031)\n", + "service.type": "o365", + "source.ip": "::1", + "user.email": "AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com", + "user.id": "S-1-5-18" + }, + { + "@timestamp": "2020-02-17T08:53:22.000Z", + "client.address": "::1", + "client.ip": "::1", + "event.action": "ModifyFolderPermissions", + "event.category": "web", + "event.code": "ExchangeItem", + "event.dataset": "o365.audit", + "event.id": "25ccad93-82ad-4742-5231-08d7b386d7e6", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 7111, + "network.type": "ipv6", + "o365.audit.ClientIP": "::1", + "o365.audit.ClientIPAddress": "::1", + "o365.audit.ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "o365.audit.CreationTime": "2020-02-17T08:53:22", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "25ccad93-82ad-4742-5231-08d7b386d7e6", + "o365.audit.InternalLogonType": 1, + "o365.audit.Item.Id": "LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC", + "o365.audit.Item.ParentFolder.Id": "LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC", + "o365.audit.Item.ParentFolder.MemberRights": "ReadAny, Visible, FreeBusySimple, FreeBusyDetailed", + "o365.audit.Item.ParentFolder.MemberSid": "S-1-8-1750167797-1192043064-2586004354-3182407426-1", + "o365.audit.Item.ParentFolder.MemberUpn": "Member@local", + "o365.audit.Item.ParentFolder.Name": "Calendar", + "o365.audit.Item.ParentFolder.Path": "\\Calendar", + "o365.audit.LogonType": 1, + "o365.audit.LogonUserSid": "S-1-5-18", + "o365.audit.MailboxGuid": "685170f5-2238-470d-824b-239a02afafbd", + "o365.audit.MailboxOwnerMasterAccountSid": "S-1-5-10", + "o365.audit.MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26679882", + "o365.audit.MailboxOwnerUPN": "AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com", + "o365.audit.Operation": "ModifyFolderPermissions", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "DB7PR01MB4428 (15.20.2707.031)\n", + "o365.audit.RecordType": 2, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.UserId": "S-1-5-18", + "o365.audit.UserKey": "S-1-5-18", + "o365.audit.UserType": 2, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "related.ip": "::1", + "server.address": "DB7PR01MB4428 (15.20.2707.031)\n", + "service.type": "o365", + "source.ip": "::1", + "user.email": "AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com", + "user.id": "S-1-5-18" + }, + { + "@timestamp": "2020-02-17T08:53:41.000Z", + "client.address": "::1", + "client.ip": "::1", + "event.action": "ModifyFolderPermissions", + "event.category": "web", + "event.code": "ExchangeItem", + "event.dataset": "o365.audit", + "event.id": "edb9bb1f-9629-43a1-0a57-08d7b386e31c", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 8324, + "network.type": "ipv6", + "o365.audit.ClientIP": "::1", + "o365.audit.ClientIPAddress": "::1", + "o365.audit.ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "o365.audit.CreationTime": "2020-02-17T08:53:41", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "edb9bb1f-9629-43a1-0a57-08d7b386e31c", + "o365.audit.InternalLogonType": 1, + "o365.audit.Item.Id": "LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC", + "o365.audit.Item.ParentFolder.Id": "LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC", + "o365.audit.Item.ParentFolder.MemberRights": "ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed", + "o365.audit.Item.ParentFolder.MemberSid": "S-1-8-2005823449-1144108501-1529089953-3087822558-0", + "o365.audit.Item.ParentFolder.MemberUpn": "Owner@local", + "o365.audit.Item.ParentFolder.Name": "Calendar", + "o365.audit.Item.ParentFolder.Path": "\\Calendar", + "o365.audit.LogonType": 1, + "o365.audit.LogonUserSid": "S-1-5-18", + "o365.audit.MailboxGuid": "778e6fd9-b5d5-4431-a10f-245bde6e0cb8", + "o365.audit.MailboxOwnerMasterAccountSid": "S-1-5-10", + "o365.audit.MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26679883", + "o365.audit.MailboxOwnerUPN": "AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com", + "o365.audit.Operation": "ModifyFolderPermissions", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "DB3PR0102MB3500 (15.20.2729.032)\n", + "o365.audit.RecordType": 2, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.UserId": "S-1-5-18", + "o365.audit.UserKey": "S-1-5-18", + "o365.audit.UserType": 2, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "related.ip": "::1", + "server.address": "DB3PR0102MB3500 (15.20.2729.032)\n", + "service.type": "o365", + "source.ip": "::1", + "user.email": "AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com", + "user.id": "S-1-5-18" + }, + { + "@timestamp": "2020-02-17T17:12:03.000Z", + "client.address": "::1", + "client.ip": "::1", + "event.action": "ModifyFolderPermissions", + "event.category": "web", + "event.code": "ExchangeItem", + "event.dataset": "o365.audit", + "event.id": "df63d186-b4d9-49a8-748c-08d7b3cc81fb", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 9590, + "network.type": "ipv6", + "o365.audit.ClientIP": "::1", + "o365.audit.ClientIPAddress": "::1", + "o365.audit.ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "o365.audit.CreationTime": "2020-02-17T17:12:03", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "df63d186-b4d9-49a8-748c-08d7b3cc81fb", + "o365.audit.InternalLogonType": 1, + "o365.audit.Item.Id": "LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC", + "o365.audit.Item.ParentFolder.Id": "LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC", + "o365.audit.Item.ParentFolder.MemberRights": "ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed", + "o365.audit.Item.ParentFolder.MemberSid": "S-1-8-640184314-1174341437-2555636127-1766693009-1", + "o365.audit.Item.ParentFolder.MemberUpn": "Member@local", + "o365.audit.Item.ParentFolder.Name": "Calendar", + "o365.audit.Item.ParentFolder.Path": "\\Calendar", + "o365.audit.LogonType": 1, + "o365.audit.LogonUserSid": "S-1-5-18", + "o365.audit.MailboxGuid": "26286ffa-073d-45ff-9fe9-539891984d69", + "o365.audit.MailboxOwnerMasterAccountSid": "S-1-5-10", + "o365.audit.MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26680073", + "o365.audit.MailboxOwnerUPN": "SIEMTest@testsiem.onmicrosoft.com", + "o365.audit.Operation": "ModifyFolderPermissions", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "AM6PR01MB4535 (15.20.2729.032)\n", + "o365.audit.RecordType": 2, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.UserId": "S-1-5-18", + "o365.audit.UserKey": "S-1-5-18", + "o365.audit.UserType": 2, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "related.ip": "::1", + "server.address": "AM6PR01MB4535 (15.20.2729.032)\n", + "service.type": "o365", + "source.ip": "::1", + "user.email": "SIEMTest@testsiem.onmicrosoft.com", + "user.id": "S-1-5-18" + }, + { + "@timestamp": "2020-02-17T17:12:03.000Z", + "client.address": "::1", + "client.ip": "::1", + "event.action": "ModifyFolderPermissions", + "event.category": "web", + "event.code": "ExchangeItem", + "event.dataset": "o365.audit", + "event.id": "284dfe85-ab53-48ad-0863-08d7b3cc81f7", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 10832, + "network.type": "ipv6", + "o365.audit.ClientIP": "::1", + "o365.audit.ClientIPAddress": "::1", + "o365.audit.ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "o365.audit.CreationTime": "2020-02-17T17:12:03", + "o365.audit.ExternalAccess": true, + "o365.audit.Id": "284dfe85-ab53-48ad-0863-08d7b3cc81f7", + "o365.audit.InternalLogonType": 1, + "o365.audit.Item.Id": "LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC", + "o365.audit.Item.ParentFolder.Id": "LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC", + "o365.audit.Item.ParentFolder.MemberRights": "ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed", + "o365.audit.Item.ParentFolder.MemberSid": "S-1-8-640184314-1174341437-2555636127-1766693009-0", + "o365.audit.Item.ParentFolder.MemberUpn": "Owner@local", + "o365.audit.Item.ParentFolder.Name": "Calendar", + "o365.audit.Item.ParentFolder.Path": "\\Calendar", + "o365.audit.LogonType": 1, + "o365.audit.LogonUserSid": "S-1-5-18", + "o365.audit.MailboxGuid": "26286ffa-073d-45ff-9fe9-539891984d69", + "o365.audit.MailboxOwnerMasterAccountSid": "S-1-5-10", + "o365.audit.MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26680073", + "o365.audit.MailboxOwnerUPN": "SIEMTest@testsiem.onmicrosoft.com", + "o365.audit.Operation": "ModifyFolderPermissions", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.OrganizationName": "testsiem.onmicrosoft.com", + "o365.audit.OriginatingServer": "AM6PR01MB4535 (15.20.2729.032)\n", + "o365.audit.RecordType": 2, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.UserId": "S-1-5-18", + "o365.audit.UserKey": "S-1-5-18", + "o365.audit.UserType": 2, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "organization.name": "testsiem.onmicrosoft.com", + "related.ip": "::1", + "server.address": "AM6PR01MB4535 (15.20.2729.032)\n", + "service.type": "o365", + "source.ip": "::1", + "user.email": "SIEMTest@testsiem.onmicrosoft.com", + "user.id": "S-1-5-18" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log new file mode 100644 index 000000000000..ff290c1041b5 --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log @@ -0,0 +1,4 @@ +{"ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", "ItemType": "Page", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", "Workload": "OneDrive", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", "CustomUniqueId": true, "UserType": 0, "Version": 1, "EventSource": "SharePoint", "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ClientIP": "213.97.47.133", "Operation": "PageViewed", "CreationTime": "2020-02-07T16:43:53", "RecordType": 4} +{"ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", "ItemType": "Page", "Workload": "OneDrive", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", "CreationTime": "2020-02-07T16:43:53", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "ClientIP": "213.97.47.133", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "UserType": 0, "Version": 1, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "CustomUniqueId": true, "Operation": "PageViewed", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", "Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "RecordType": 4} +{"UserId": "asr@testsiem.onmicrosoft.com", "ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", "RecordType": 4, "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", "Workload": "OneDrive", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "UserType": 0, "CreationTime": "2020-02-07T16:43:53", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "ClientIP": "213.97.47.133", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "Version": 1, "EventSource": "SharePoint", "CustomUniqueId": true, "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "Operation": "PageViewed", "Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "ItemType": "Page"} +{"Workload": "OneDrive", "Version": 1, "RecordType": 4, "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", "CreationTime": "2020-02-07T16:43:53", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "UserType": 0, "ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "CustomUniqueId": true, "ClientIP": "213.97.47.133", "Operation": "PageViewed", "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "ItemType": "Page"} diff --git a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json new file mode 100644 index 000000000000..93b5869d8742 --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json @@ -0,0 +1,258 @@ +[ + { + "@timestamp": "2020-02-07T16:43:53.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "PageViewed", + "event.category": "web", + "event.code": "SharePoint", + "event.dataset": "o365.audit", + "event.id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 0, + "network.type": "ipv4", + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", + "o365.audit.CreationTime": "2020-02-07T16:43:53", + "o365.audit.CustomUniqueId": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", + "o365.audit.ItemType": "Page", + "o365.audit.ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", + "o365.audit.Operation": "PageViewed", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 4, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:43:53.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "PageViewed", + "event.category": "web", + "event.code": "SharePoint", + "event.dataset": "o365.audit", + "event.id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 870, + "network.type": "ipv4", + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", + "o365.audit.CreationTime": "2020-02-07T16:43:53", + "o365.audit.CustomUniqueId": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", + "o365.audit.ItemType": "Page", + "o365.audit.ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", + "o365.audit.Operation": "PageViewed", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 4, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:43:53.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "PageViewed", + "event.category": "web", + "event.code": "SharePoint", + "event.dataset": "o365.audit", + "event.id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 1740, + "network.type": "ipv4", + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", + "o365.audit.CreationTime": "2020-02-07T16:43:53", + "o365.audit.CustomUniqueId": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", + "o365.audit.ItemType": "Page", + "o365.audit.ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", + "o365.audit.Operation": "PageViewed", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 4, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:43:53.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "PageViewed", + "event.category": "web", + "event.code": "SharePoint", + "event.dataset": "o365.audit", + "event.id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 2610, + "network.type": "ipv4", + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", + "o365.audit.CreationTime": "2020-02-07T16:43:53", + "o365.audit.CustomUniqueId": true, + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", + "o365.audit.ItemType": "Page", + "o365.audit.ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", + "o365.audit.Operation": "PageViewed", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 4, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log new file mode 100644 index 000000000000..bc5573e588db --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log @@ -0,0 +1,11 @@ +{"SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:07", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "SourceRelativeUrl": "Documents", "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "213.97.47.133", "CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "Screenshot 2020-01-27 at 11.30.48.png", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ItemType": "File", "ListItemUniqueId": "4803608a-df7d-4f63-aa73-67aa33bb576e", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Version": 1, "Operation": "FileDeleted", "Id": "ec04aa09-0a43-4879-cdc8-08d7abecf327"} +{"SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:07", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "SourceRelativeUrl": "Documents", "ItemType": "File", "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ClientIP": "213.97.47.133", "CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "Screenshot 2020-01-27 at 11.30.48.png", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "RecordType": 6, "ListItemUniqueId": "4803608a-df7d-4f63-aa73-67aa33bb576e", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileDeleted", "Id": "ec04aa09-0a43-4879-cdc8-08d7abecf327"} +{"SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:08", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "SourceRelativeUrl": "Documents/Forms", "ItemType": "File", "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "aspx", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "213.97.47.133", "CorrelationId": "652b339f-90a0-a000-f25f-919afc141eb1", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "All.aspx", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "RecordType": 6, "ListItemUniqueId": "ff3631c1-6189-45c7-ad45-c15cea9e9255", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileAccessed", "Id": "25b08f04-48ee-4755-ce22-08d7abecf3a9"} +{"SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:08", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "SourceRelativeUrl": "Documents/Forms", "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "aspx", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "213.97.47.133", "CorrelationId": "652b339f-90a0-a000-f25f-919afc141eb1", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "All.aspx", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ItemType": "File", "ListItemUniqueId": "ff3631c1-6189-45c7-ad45-c15cea9e9255", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileAccessed", "Id": "25b08f04-48ee-4755-ce22-08d7abecf3a9"} +{"SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:21", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "SourceRelativeUrl": "Documents", "ImplicitShare": "No", "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "213.97.47.133", "CorrelationId": "692b339f-c016-a000-f25f-990a07b2e011", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "Screenshot.png", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ItemType": "File", "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileUploaded", "Id": "dac93a9f-f2fb-4cac-d18f-08d7abecfbb6"} +{"SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:23", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "SourceRelativeUrl": "Documents", "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ClientIP": "213.97.47.133", "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "Screenshot.png", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ItemType": "File", "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileModified", "Id": "5b02fadb-8eac-4aff-af87-08d7abecfca3"} +{"SourceRelativeUrl": "Documents", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:07", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "213.97.47.133", "CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "SourceFileName": "Screenshot 2020-01-27 at 11.30.48.png", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ItemType": "File", "ListItemUniqueId": "4803608a-df7d-4f63-aa73-67aa33bb576e", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileDeleted", "Id": "ec04aa09-0a43-4879-cdc8-08d7abecf327"} +{"SourceRelativeUrl": "Documents", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:21", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "ImplicitShare": "No", "ItemType": "File", "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "213.97.47.133", "CorrelationId": "692b339f-c016-a000-f25f-990a07b2e011", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "SourceFileName": "Screenshot.png", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "RecordType": 6, "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileUploaded", "Id": "dac93a9f-f2fb-4cac-d18f-08d7abecfbb6"} +{"SourceRelativeUrl": "Documents", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:23", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "ItemType": "File", "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "213.97.47.133", "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "Screenshot.png", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "RecordType": 6, "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Version": 1, "Operation": "FileModified", "Id": "5b02fadb-8eac-4aff-af87-08d7abecfca3"} +{"SourceRelativeUrl": "Documents", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:23", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "ItemType": "File", "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ClientIP": "213.97.47.133", "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "SourceFileName": "Screenshot.png", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "RecordType": 6, "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileModified", "Id": "5b02fadb-8eac-4aff-af87-08d7abecfca3"} +{"SourceRelativeUrl": "Documents", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:23", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ClientIP": "213.97.47.133", "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "SourceFileName": "Screenshot.png", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ItemType": "File", "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileModified", "Id": "5b02fadb-8eac-4aff-af87-08d7abecfca3"} diff --git a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json new file mode 100644 index 000000000000..feaff17cf4ca --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json @@ -0,0 +1,796 @@ +[ + { + "@timestamp": "2020-02-07T16:44:07.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "FileDeleted", + "event.category": "file", + "event.code": "SharePointFileOperation", + "event.dataset": "o365.audit", + "event.id": "ec04aa09-0a43-4879-cdc8-08d7abecf327", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "deletion", + "file.directory": "Documents", + "file.extension": "png", + "file.name": "Screenshot 2020-01-27 at 11.30.48.png", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 0, + "network.type": "ipv4", + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", + "o365.audit.CreationTime": "2020-02-07T16:44:07", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "ec04aa09-0a43-4879-cdc8-08d7abecf327", + "o365.audit.ItemType": "File", + "o365.audit.ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "o365.audit.ListItemUniqueId": "4803608a-df7d-4f63-aa73-67aa33bb576e", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", + "o365.audit.Operation": "FileDeleted", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 6, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "o365.audit.SourceFileExtension": "png", + "o365.audit.SourceFileName": "Screenshot 2020-01-27 at 11.30.48.png", + "o365.audit.SourceRelativeUrl": "Documents", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:44:07.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "FileDeleted", + "event.category": "file", + "event.code": "SharePointFileOperation", + "event.dataset": "o365.audit", + "event.id": "ec04aa09-0a43-4879-cdc8-08d7abecf327", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "deletion", + "file.directory": "Documents", + "file.extension": "png", + "file.name": "Screenshot 2020-01-27 at 11.30.48.png", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 1130, + "network.type": "ipv4", + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", + "o365.audit.CreationTime": "2020-02-07T16:44:07", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "ec04aa09-0a43-4879-cdc8-08d7abecf327", + "o365.audit.ItemType": "File", + "o365.audit.ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "o365.audit.ListItemUniqueId": "4803608a-df7d-4f63-aa73-67aa33bb576e", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", + "o365.audit.Operation": "FileDeleted", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 6, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "o365.audit.SourceFileExtension": "png", + "o365.audit.SourceFileName": "Screenshot 2020-01-27 at 11.30.48.png", + "o365.audit.SourceRelativeUrl": "Documents", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:44:08.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "FileAccessed", + "event.category": "file", + "event.code": "SharePointFileOperation", + "event.dataset": "o365.audit", + "event.id": "25b08f04-48ee-4755-ce22-08d7abecf3a9", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "access", + "file.directory": "Documents/Forms", + "file.extension": "aspx", + "file.name": "All.aspx", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 2260, + "network.type": "ipv4", + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CorrelationId": "652b339f-90a0-a000-f25f-919afc141eb1", + "o365.audit.CreationTime": "2020-02-07T16:44:08", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "25b08f04-48ee-4755-ce22-08d7abecf3a9", + "o365.audit.ItemType": "File", + "o365.audit.ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "o365.audit.ListItemUniqueId": "ff3631c1-6189-45c7-ad45-c15cea9e9255", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx", + "o365.audit.Operation": "FileAccessed", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 6, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "o365.audit.SourceFileExtension": "aspx", + "o365.audit.SourceFileName": "All.aspx", + "o365.audit.SourceRelativeUrl": "Documents/Forms", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:44:08.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "FileAccessed", + "event.category": "file", + "event.code": "SharePointFileOperation", + "event.dataset": "o365.audit", + "event.id": "25b08f04-48ee-4755-ce22-08d7abecf3a9", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "access", + "file.directory": "Documents/Forms", + "file.extension": "aspx", + "file.name": "All.aspx", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 3346, + "network.type": "ipv4", + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CorrelationId": "652b339f-90a0-a000-f25f-919afc141eb1", + "o365.audit.CreationTime": "2020-02-07T16:44:08", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "25b08f04-48ee-4755-ce22-08d7abecf3a9", + "o365.audit.ItemType": "File", + "o365.audit.ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "o365.audit.ListItemUniqueId": "ff3631c1-6189-45c7-ad45-c15cea9e9255", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx", + "o365.audit.Operation": "FileAccessed", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 6, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "o365.audit.SourceFileExtension": "aspx", + "o365.audit.SourceFileName": "All.aspx", + "o365.audit.SourceRelativeUrl": "Documents/Forms", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:44:21.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "FileUploaded", + "event.category": "file", + "event.code": "SharePointFileOperation", + "event.dataset": "o365.audit", + "event.id": "dac93a9f-f2fb-4cac-d18f-08d7abecfbb6", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "creation", + "file.directory": "Documents", + "file.extension": "png", + "file.name": "Screenshot.png", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 4432, + "network.type": "ipv4", + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CorrelationId": "692b339f-c016-a000-f25f-990a07b2e011", + "o365.audit.CreationTime": "2020-02-07T16:44:21", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "dac93a9f-f2fb-4cac-d18f-08d7abecfbb6", + "o365.audit.ImplicitShare": "No", + "o365.audit.ItemType": "File", + "o365.audit.ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "o365.audit.ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", + "o365.audit.Operation": "FileUploaded", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 6, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "o365.audit.SourceFileExtension": "png", + "o365.audit.SourceFileName": "Screenshot.png", + "o365.audit.SourceRelativeUrl": "Documents", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:44:23.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "FileModified", + "event.category": "file", + "event.code": "SharePointFileOperation", + "event.dataset": "o365.audit", + "event.id": "5b02fadb-8eac-4aff-af87-08d7abecfca3", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "change", + "file.directory": "Documents", + "file.extension": "png", + "file.name": "Screenshot.png", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 5540, + "network.type": "ipv4", + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", + "o365.audit.CreationTime": "2020-02-07T16:44:23", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "5b02fadb-8eac-4aff-af87-08d7abecfca3", + "o365.audit.ItemType": "File", + "o365.audit.ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "o365.audit.ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", + "o365.audit.Operation": "FileModified", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 6, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "o365.audit.SourceFileExtension": "png", + "o365.audit.SourceFileName": "Screenshot.png", + "o365.audit.SourceRelativeUrl": "Documents", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:44:07.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "FileDeleted", + "event.category": "file", + "event.code": "SharePointFileOperation", + "event.dataset": "o365.audit", + "event.id": "ec04aa09-0a43-4879-cdc8-08d7abecf327", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "deletion", + "file.directory": "Documents", + "file.extension": "png", + "file.name": "Screenshot 2020-01-27 at 11.30.48.png", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 6625, + "network.type": "ipv4", + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", + "o365.audit.CreationTime": "2020-02-07T16:44:07", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "ec04aa09-0a43-4879-cdc8-08d7abecf327", + "o365.audit.ItemType": "File", + "o365.audit.ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "o365.audit.ListItemUniqueId": "4803608a-df7d-4f63-aa73-67aa33bb576e", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", + "o365.audit.Operation": "FileDeleted", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 6, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "o365.audit.SourceFileExtension": "png", + "o365.audit.SourceFileName": "Screenshot 2020-01-27 at 11.30.48.png", + "o365.audit.SourceRelativeUrl": "Documents", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:44:21.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "FileUploaded", + "event.category": "file", + "event.code": "SharePointFileOperation", + "event.dataset": "o365.audit", + "event.id": "dac93a9f-f2fb-4cac-d18f-08d7abecfbb6", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "creation", + "file.directory": "Documents", + "file.extension": "png", + "file.name": "Screenshot.png", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 7755, + "network.type": "ipv4", + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CorrelationId": "692b339f-c016-a000-f25f-990a07b2e011", + "o365.audit.CreationTime": "2020-02-07T16:44:21", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "dac93a9f-f2fb-4cac-d18f-08d7abecfbb6", + "o365.audit.ImplicitShare": "No", + "o365.audit.ItemType": "File", + "o365.audit.ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "o365.audit.ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", + "o365.audit.Operation": "FileUploaded", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 6, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "o365.audit.SourceFileExtension": "png", + "o365.audit.SourceFileName": "Screenshot.png", + "o365.audit.SourceRelativeUrl": "Documents", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:44:23.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "FileModified", + "event.category": "file", + "event.code": "SharePointFileOperation", + "event.dataset": "o365.audit", + "event.id": "5b02fadb-8eac-4aff-af87-08d7abecfca3", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "change", + "file.directory": "Documents", + "file.extension": "png", + "file.name": "Screenshot.png", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 8863, + "network.type": "ipv4", + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", + "o365.audit.CreationTime": "2020-02-07T16:44:23", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "5b02fadb-8eac-4aff-af87-08d7abecfca3", + "o365.audit.ItemType": "File", + "o365.audit.ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "o365.audit.ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", + "o365.audit.Operation": "FileModified", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 6, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "o365.audit.SourceFileExtension": "png", + "o365.audit.SourceFileName": "Screenshot.png", + "o365.audit.SourceRelativeUrl": "Documents", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:44:23.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "FileModified", + "event.category": "file", + "event.code": "SharePointFileOperation", + "event.dataset": "o365.audit", + "event.id": "5b02fadb-8eac-4aff-af87-08d7abecfca3", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "change", + "file.directory": "Documents", + "file.extension": "png", + "file.name": "Screenshot.png", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 9948, + "network.type": "ipv4", + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", + "o365.audit.CreationTime": "2020-02-07T16:44:23", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "5b02fadb-8eac-4aff-af87-08d7abecfca3", + "o365.audit.ItemType": "File", + "o365.audit.ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "o365.audit.ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", + "o365.audit.Operation": "FileModified", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 6, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "o365.audit.SourceFileExtension": "png", + "o365.audit.SourceFileName": "Screenshot.png", + "o365.audit.SourceRelativeUrl": "Documents", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:44:23.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "FileModified", + "event.category": "file", + "event.code": "SharePointFileOperation", + "event.dataset": "o365.audit", + "event.id": "5b02fadb-8eac-4aff-af87-08d7abecfca3", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "change", + "file.directory": "Documents", + "file.extension": "png", + "file.name": "Screenshot.png", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 11033, + "network.type": "ipv4", + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", + "o365.audit.CreationTime": "2020-02-07T16:44:23", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "5b02fadb-8eac-4aff-af87-08d7abecfca3", + "o365.audit.ItemType": "File", + "o365.audit.ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "o365.audit.ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", + "o365.audit.Operation": "FileModified", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 6, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "o365.audit.SourceFileExtension": "png", + "o365.audit.SourceFileName": "Screenshot.png", + "o365.audit.SourceRelativeUrl": "Documents", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/audit/test/08-azuread.log b/x-pack/filebeat/module/o365/audit/test/08-azuread.log new file mode 100644 index 000000000000..7f53e3e5cf9e --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/08-azuread.log @@ -0,0 +1,100 @@ +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:33:26", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "528b5206-f6de-4c1f-86db-5f750a9960c9"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:33:26.1037807Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38438635"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "8f6eb24b-6e61-4ee2-a376-31368c300613"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:33:26", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]"}, {"NewValue": "RequiredResourceAccess", "OldValue": "", "Name": "Included Updated Properties"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "528b5206-f6de-4c1f-86db-5f750a9960c9"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:33:26.1037807Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38438635"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "8f6eb24b-6e61-4ee2-a376-31368c300613"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:33:26", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"NewValue": "[\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "Name": "RequiredResourceAccess"}, {"NewValue": "RequiredResourceAccess", "OldValue": "", "Name": "Included Updated Properties"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "528b5206-f6de-4c1f-86db-5f750a9960c9"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:33:26.1037807Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38438635"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "8f6eb24b-6e61-4ee2-a376-31368c300613"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:33:26", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "528b5206-f6de-4c1f-86db-5f750a9960c9"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:33:26.1638042Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38438642"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "b2cc2456-5ac5-4399-b960-82a40036476f"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:33:26", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "528b5206-f6de-4c1f-86db-5f750a9960c9"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:33:26.1638042Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38438642"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "b2cc2456-5ac5-4399-b960-82a40036476f"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "ac045271-8d7f-49b2-abc9-5130051d879f"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:06.3062012Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38464425"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "7f09b681-251f-4ff0-97cf-5247891b6981"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "ac045271-8d7f-49b2-abc9-5130051d879f"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:06.3062012Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38464434"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "d8a2ae24-a752-4f8e-adca-c57189a76a71"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "ac045271-8d7f-49b2-abc9-5130051d879f"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:06.3062012Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38464425"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "7f09b681-251f-4ff0-97cf-5247891b6981"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "ac045271-8d7f-49b2-abc9-5130051d879f"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:06.3062012Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38464434"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "d8a2ae24-a752-4f8e-adca-c57189a76a71"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "ac045271-8d7f-49b2-abc9-5130051d879f"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:06.3062012Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38464425"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "7f09b681-251f-4ff0-97cf-5247891b6981"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372061"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "02868191-019a-453a-a3a9-a21f44898778"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372061"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "02868191-019a-453a-a3a9-a21f44898778"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372052"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372061"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "02868191-019a-453a-a3a9-a21f44898778"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372052"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372052"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372061"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "02868191-019a-453a-a3a9-a21f44898778"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372052"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:52", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "5345f95e-44e0-48fc-823c-8206ff821338"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:52.5873254Z"}, {"Name": "env_epoch", "Value": "FQXLK"}, {"Name": "env_seqNum", "Value": "42492828"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR565"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "fe115c66-3e08-4ab4-8a00-84ae25a59078"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:52", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"NewValue": "[\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "Name": "RequiredResourceAccess"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "5345f95e-44e0-48fc-823c-8206ff821338"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:52.5873254Z"}, {"Name": "env_epoch", "Value": "FQXLK"}, {"Name": "env_seqNum", "Value": "42492828"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR565"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "fe115c66-3e08-4ab4-8a00-84ae25a59078"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:52", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "5345f95e-44e0-48fc-823c-8206ff821338"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:52.6473040Z"}, {"Name": "env_epoch", "Value": "FQXLK"}, {"Name": "env_seqNum", "Value": "42492835"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR565"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "76f9b173-c35c-4dbb-b5f7-64750ae994ce"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:25:54", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "51e48c97-80b1-42bb-b732-8b578dfac528"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:25:54.7174137Z"}, {"Name": "env_epoch", "Value": "73AB6"}, {"Name": "env_seqNum", "Value": "43793182"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR575"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:25:54", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]"}, {"NewValue": "RequiredResourceAccess", "OldValue": "", "Name": "Included Updated Properties"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "51e48c97-80b1-42bb-b732-8b578dfac528"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:25:54.7174137Z"}, {"Name": "env_epoch", "Value": "73AB6"}, {"Name": "env_seqNum", "Value": "43793182"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR575"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:25:54", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "Name": "RequiredResourceAccess"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "51e48c97-80b1-42bb-b732-8b578dfac528"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:25:54.7174137Z"}, {"Name": "env_epoch", "Value": "73AB6"}, {"Name": "env_seqNum", "Value": "43793182"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR575"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:25:54", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "51e48c97-80b1-42bb-b732-8b578dfac528"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:25:54.7823970Z"}, {"Name": "env_epoch", "Value": "73AB6"}, {"Name": "env_seqNum", "Value": "43793206"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR575"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "606ae654-e71e-4a6b-a07c-85acd775667b"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9242333Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795815"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9992570Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795878"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9242333Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795815"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9992570Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795878"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9242333Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795815"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9992570Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795878"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9992570Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795878"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9242333Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795815"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.IsAppOnly", "OldValue": "", "NewValue": "False"}, {"Name": "ConsentContext.OnBehalfOfAll", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.Tags", "OldValue": "", "NewValue": ""}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] => [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:06.0142481Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795893"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "821dc03c-4e38-4cd1-82b2-3155b41b4418"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"NewValue": "False", "OldValue": "", "Name": "ConsentContext.IsAppOnly"}, {"Name": "ConsentContext.OnBehalfOfAll", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.Tags", "OldValue": "", "NewValue": ""}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] => [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:06.0142481Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795893"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "821dc03c-4e38-4cd1-82b2-3155b41b4418"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:15:04", "Actor": [{"Type": 5, "ID": "fim_password_service@support.onmicrosoft.com"}, {"Type": 3, "ID": "100300008060F582"}, {"Type": 2, "ID": "User_00000000-0000-0000-0000-000000000000"}, {"Type": 2, "ID": "00000000-0000-0000-0000-000000000000"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "d51ef8df-6617-4356-b8d4-89ad7efef31e", "RecordType": 8, "ActorIpAddress": "", "UserId": "fim_password_service@support.onmicrosoft.com", "UserType": 0, "UserKey": "100300008060F582@support.onmicrosoft.com", "ClientIP": "", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "ObjectId": "asr@testsiem.onmicrosoft.com", "ModifiedProperties": [{"Name": "StrongAuthenticationPhoneAppDetail", "OldValue": "[\r\n {\r\n \"DeviceName\": \"NO_DEVICE\",\r\n \"DeviceToken\": \"NO_DEVICE_TOKEN\",\r\n \"DeviceTag\": \"SoftwareTokenActivated\",\r\n \"PhoneAppVersion\": \"NO_PHONE_APP_VERSION\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": null,\r\n \"Id\": \"3b539b10-3846-4f9b-877d-55b0b8e76147\",\r\n \"TimeInterval\": null,\r\n \"AuthenticationType\": 2,\r\n \"NotificationType\": 1,\r\n \"SecuredPartitionId\": 0,\r\n \"SecuredKeyId\": 0\r\n }\r\n]", "NewValue": "[\r\n {\r\n \"DeviceName\": \"NO_DEVICE\",\r\n \"DeviceToken\": \"NO_DEVICE_TOKEN\",\r\n \"DeviceTag\": \"SoftwareTokenActivated\",\r\n \"PhoneAppVersion\": \"NO_PHONE_APP_VERSION\",\r\n \"OathTokenTimeDrift\": -1,\r\n \"DeviceId\": null,\r\n \"Id\": \"3b539b10-3846-4f9b-877d-55b0b8e76147\",\r\n \"TimeInterval\": null,\r\n \"AuthenticationType\": 2,\r\n \"NotificationType\": 1,\r\n \"SecuredPartitionId\": 0,\r\n \"SecuredKeyId\": 0\r\n }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "StrongAuthenticationPhoneAppDetail"}, {"Name": "TargetId.UserType", "OldValue": "", "NewValue": "Member"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "d51ef8df-6617-4356-b8d4-89ad7efef31e"}, {"Name": "actorObjectId", "Value": "00000000-0000-0000-0000-000000000000"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "fim_password_service@support.onmicrosoft.com"}, {"Name": "actorPUID", "Value": "100300008060F582"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "extendedAuditEventCategory", "Value": "User"}, {"Name": "targetUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "targetPUID", "Value": "1003200096971F55"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"StrongAuthenticationPhoneAppDetail\",\"TargetId.UserType\"]"}, {"Name": "correlationId", "Value": "4aa56c6c-8fa5-4787-a165-03f181541438"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"UserType\":\"Member\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "UserManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:15:04.2043419Z"}, {"Name": "env_epoch", "Value": "4QPHR"}, {"Name": "env_seqNum", "Value": "87075075"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "becwebservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "becwebservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RBWSR554"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update user.", "Id": "83c924c1-f2e2-4b39-8eda-b80c3823a875"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:16:18", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"NewValue": "", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2e358876-29c8-45b5-8dba-e233cf769988"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:16:18.9844570Z"}, {"Name": "env_epoch", "Value": "Z4XUI"}, {"Name": "env_seqNum", "Value": "43649666"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR581"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove OAuth2PermissionGrant.", "Id": "ec6ba716-ec04-460a-8d9e-661d732c4689"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:16:18", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"NewValue": "", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2e358876-29c8-45b5-8dba-e233cf769988"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:16:18.9844570Z"}, {"Name": "env_epoch", "Value": "Z4XUI"}, {"Name": "env_seqNum", "Value": "43649666"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR581"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove OAuth2PermissionGrant.", "Id": "ec6ba716-ec04-460a-8d9e-661d732c4689"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:16:18", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2e358876-29c8-45b5-8dba-e233cf769988"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:16:18.9844570Z"}, {"Name": "env_epoch", "Value": "Z4XUI"}, {"Name": "env_seqNum", "Value": "43649666"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR581"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove OAuth2PermissionGrant.", "Id": "ec6ba716-ec04-460a-8d9e-661d732c4689"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:00", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "b2484c3c-5461-43ab-850b-70fccf706796"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:00.2133065Z"}, {"Name": "env_epoch", "Value": "OLE3R"}, {"Name": "env_seqNum", "Value": "55908032"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR551"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "31d7436e-85aa-4aee-a945-6a0ff51ea975"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:00", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "b2484c3c-5461-43ab-850b-70fccf706796"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:00.2133065Z"}, {"Name": "env_epoch", "Value": "OLE3R"}, {"Name": "env_seqNum", "Value": "55908041"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR551"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:00", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "b2484c3c-5461-43ab-850b-70fccf706796"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:00.2133065Z"}, {"Name": "env_epoch", "Value": "OLE3R"}, {"Name": "env_seqNum", "Value": "55908032"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR551"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "31d7436e-85aa-4aee-a945-6a0ff51ea975"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:00", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "b2484c3c-5461-43ab-850b-70fccf706796"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:00.2133065Z"}, {"Name": "env_epoch", "Value": "OLE3R"}, {"Name": "env_seqNum", "Value": "55908041"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR551"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:00", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "b2484c3c-5461-43ab-850b-70fccf706796"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:00.2133065Z"}, {"Name": "env_epoch", "Value": "OLE3R"}, {"Name": "env_seqNum", "Value": "55908041"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR551"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735117"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735126"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735126"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735117"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735117"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735126"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735126"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.IsAppOnly", "OldValue": "", "NewValue": "False"}, {"Name": "ConsentContext.OnBehalfOfAll", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.Tags", "OldValue": "", "NewValue": ""}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[] => [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.3393756Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43118027"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "0031778a-80cf-49f8-aea2-f798c9bf1ec9"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.IsAppOnly", "OldValue": "", "NewValue": "False"}, {"NewValue": "True", "OldValue": "", "Name": "ConsentContext.OnBehalfOfAll"}, {"Name": "ConsentContext.Tags", "OldValue": "", "NewValue": ""}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[] => [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.3393756Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43118027"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "0031778a-80cf-49f8-aea2-f798c9bf1ec9"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.3343965Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43118019"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.3343965Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43118019"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.3343965Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43118019"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"NewValue": "", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.3343965Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43118019"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.1843731Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43117912"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.2593808Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43117959"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "a73c1c7e-5591-4912-94cc-527ad6f48ed8"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.2593808Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43117959"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "a73c1c7e-5591-4912-94cc-527ad6f48ed8"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.1843731Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43117912"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.1843731Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43117912"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:30", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "AppId", "OldValue": "[]", "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "AvailableToOtherTenants", "OldValue": "[]", "NewValue": "[\r\n false\r\n]"}, {"Name": "DisplayName", "OldValue": "[]", "NewValue": "[\r\n \"siem2\"\r\n]"}, {"Name": "RequiredResourceAccess", "OldValue": "[]", "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "484659af-7387-4b77-b889-c4d2a8060004"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:30.6833528Z"}, {"Name": "env_epoch", "Value": "SDA9U"}, {"Name": "env_seqNum", "Value": "41554400"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR521"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add application.", "Id": "689aaff0-b34f-4077-9244-0563b9f9c03b"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:30", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "AppId", "OldValue": "[]", "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "AvailableToOtherTenants", "OldValue": "[]", "NewValue": "[\r\n false\r\n]"}, {"Name": "DisplayName", "OldValue": "[]", "NewValue": "[\r\n \"siem2\"\r\n]"}, {"NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "OldValue": "[]", "Name": "RequiredResourceAccess"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "484659af-7387-4b77-b889-c4d2a8060004"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:30.6833528Z"}, {"Name": "env_epoch", "Value": "SDA9U"}, {"Name": "env_seqNum", "Value": "41554400"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR521"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add application.", "Id": "689aaff0-b34f-4077-9244-0563b9f9c03b"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:30", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "AppId", "OldValue": "[]", "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "AvailableToOtherTenants", "OldValue": "[]", "NewValue": "[\r\n false\r\n]"}, {"NewValue": "[\r\n \"siem2\"\r\n]", "OldValue": "[]", "Name": "DisplayName"}, {"Name": "RequiredResourceAccess", "OldValue": "[]", "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "484659af-7387-4b77-b889-c4d2a8060004"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:30.6833528Z"}, {"Name": "env_epoch", "Value": "SDA9U"}, {"Name": "env_seqNum", "Value": "41554400"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR521"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add application.", "Id": "689aaff0-b34f-4077-9244-0563b9f9c03b"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:30", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "AppId", "OldValue": "[]", "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"NewValue": "[\r\n false\r\n]", "OldValue": "[]", "Name": "AvailableToOtherTenants"}, {"Name": "DisplayName", "OldValue": "[]", "NewValue": "[\r\n \"siem2\"\r\n]"}, {"Name": "RequiredResourceAccess", "OldValue": "[]", "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "484659af-7387-4b77-b889-c4d2a8060004"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:30.6833528Z"}, {"Name": "env_epoch", "Value": "SDA9U"}, {"Name": "env_seqNum", "Value": "41554400"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR521"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add application.", "Id": "689aaff0-b34f-4077-9244-0563b9f9c03b"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:30", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "ObjectId": "asr@testsiem.onmicrosoft.com", "ModifiedProperties": [{"Name": "Application.ObjectID", "OldValue": "", "NewValue": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "Application.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"Name": "Application.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "targetPUID", "Value": "1003200096971F55"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"Application.ObjectID\",\"Application.DisplayName\",\"Application.AppId\"]"}, {"Name": "correlationId", "Value": "484659af-7387-4b77-b889-c4d2a8060004"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"Application\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:30.7383513Z"}, {"Name": "env_epoch", "Value": "SDA9U"}, {"Name": "env_seqNum", "Value": "41554439"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR521"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add owner to application.", "Id": "ccbe264f-f6bc-42bd-b5b6-2893ce2f465f"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:31", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "AccountEnabled", "OldValue": "[]", "NewValue": "[\r\n true\r\n]"}, {"Name": "AppPrincipalId", "OldValue": "[]", "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "DisplayName", "OldValue": "[]", "NewValue": "[\r\n \"siem2\"\r\n]"}, {"Name": "ServicePrincipalName", "OldValue": "[]", "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "Credential", "OldValue": "[]", "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "381d015d-6660-4dce-af99-4cd8c3b61d4d"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:31.1327910Z"}, {"Name": "env_epoch", "Value": "NNJOH"}, {"Name": "env_seqNum", "Value": "39121960"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add service principal.", "Id": "48403af8-b712-4e63-a999-686b631240ac"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:31", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "AccountEnabled", "OldValue": "[]", "NewValue": "[\r\n true\r\n]"}, {"Name": "AppPrincipalId", "OldValue": "[]", "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"NewValue": "[\r\n \"siem2\"\r\n]", "OldValue": "[]", "Name": "DisplayName"}, {"Name": "ServicePrincipalName", "OldValue": "[]", "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]", "OldValue": "[]", "Name": "Credential"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "381d015d-6660-4dce-af99-4cd8c3b61d4d"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:31.1327910Z"}, {"Name": "env_epoch", "Value": "NNJOH"}, {"Name": "env_seqNum", "Value": "39121960"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add service principal.", "Id": "48403af8-b712-4e63-a999-686b631240ac"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:31", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"NewValue": "[\r\n true\r\n]", "OldValue": "[]", "Name": "AccountEnabled"}, {"Name": "AppPrincipalId", "OldValue": "[]", "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "DisplayName", "OldValue": "[]", "NewValue": "[\r\n \"siem2\"\r\n]"}, {"Name": "ServicePrincipalName", "OldValue": "[]", "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "Credential", "OldValue": "[]", "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "381d015d-6660-4dce-af99-4cd8c3b61d4d"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:31.1327910Z"}, {"Name": "env_epoch", "Value": "NNJOH"}, {"Name": "env_seqNum", "Value": "39121960"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add service principal.", "Id": "48403af8-b712-4e63-a999-686b631240ac"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:31", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"NewValue": "[\r\n true\r\n]", "OldValue": "[]", "Name": "AccountEnabled"}, {"Name": "AppPrincipalId", "OldValue": "[]", "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"NewValue": "[\r\n \"siem2\"\r\n]", "OldValue": "[]", "Name": "DisplayName"}, {"NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]", "OldValue": "[]", "Name": "ServicePrincipalName"}, {"Name": "Credential", "OldValue": "[]", "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "381d015d-6660-4dce-af99-4cd8c3b61d4d"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:31.1327910Z"}, {"Name": "env_epoch", "Value": "NNJOH"}, {"Name": "env_seqNum", "Value": "39121960"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add service principal.", "Id": "48403af8-b712-4e63-a999-686b631240ac"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:42:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[]"}, {"Name": "correlationId", "Value": "531446ed-abd2-468f-96a8-a4dcc7b05168"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:42:45.0442303Z"}, {"Name": "env_epoch", "Value": "VYXPT"}, {"Name": "env_seqNum", "Value": "45826392"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR559"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "aaa361ac-50e8-43f4-9aaf-c19c09e3e3bc"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:42:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "KeyDescription", "OldValue": "[]", "NewValue": "[\r\n \"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\"\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "KeyDescription"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"KeyDescription\"]"}, {"Name": "correlationId", "Value": "531446ed-abd2-468f-96a8-a4dcc7b05168"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:42:45.0442303Z"}, {"Name": "env_epoch", "Value": "VYXPT"}, {"Name": "env_seqNum", "Value": "45826385"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR559"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application \u2013 Certificates and secrets management ", "Id": "20a82fa1-625b-491a-a3e8-54d779a9b17e"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:42:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"NewValue": "[\r\n \"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\"\r\n]", "OldValue": "[]", "Name": "KeyDescription"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "KeyDescription"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"KeyDescription\"]"}, {"Name": "correlationId", "Value": "531446ed-abd2-468f-96a8-a4dcc7b05168"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:42:45.0442303Z"}, {"Name": "env_epoch", "Value": "VYXPT"}, {"Name": "env_seqNum", "Value": "45826385"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR559"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application \u2013 Certificates and secrets management ", "Id": "20a82fa1-625b-491a-a3e8-54d779a9b17e"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:42:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "531446ed-abd2-468f-96a8-a4dcc7b05168"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:42:45.1042022Z"}, {"Name": "env_epoch", "Value": "VYXPT"}, {"Name": "env_seqNum", "Value": "45826464"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR559"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "15adbe69-7974-41ec-8341-208456600ad3"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:42:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "531446ed-abd2-468f-96a8-a4dcc7b05168"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:42:45.1042022Z"}, {"Name": "env_epoch", "Value": "VYXPT"}, {"Name": "env_seqNum", "Value": "45826464"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR559"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "15adbe69-7974-41ec-8341-208456600ad3"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:42:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"NewValue": "", "OldValue": "", "Name": "Included Updated Properties"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "531446ed-abd2-468f-96a8-a4dcc7b05168"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:42:45.1042022Z"}, {"Name": "env_epoch", "Value": "VYXPT"}, {"Name": "env_seqNum", "Value": "45826464"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR559"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "15adbe69-7974-41ec-8341-208456600ad3"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:37", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "811fd012-35a6-4a0c-abce-79fb08b9ab6c"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:37.2045249Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34620418"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "d23b201c-5436-4ecc-a789-18d3f00ea76c"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:37", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]"}, {"NewValue": "RequiredResourceAccess", "OldValue": "", "Name": "Included Updated Properties"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "811fd012-35a6-4a0c-abce-79fb08b9ab6c"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:37.2045249Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34620418"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "d23b201c-5436-4ecc-a789-18d3f00ea76c"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:37", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "Name": "RequiredResourceAccess"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "811fd012-35a6-4a0c-abce-79fb08b9ab6c"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:37.2045249Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34620418"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "d23b201c-5436-4ecc-a789-18d3f00ea76c"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:37", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "811fd012-35a6-4a0c-abce-79fb08b9ab6c"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:37.2595378Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34620448"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:37", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "811fd012-35a6-4a0c-abce-79fb08b9ab6c"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:37.2595378Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34620448"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:37", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"NewValue": "", "OldValue": "", "Name": "Included Updated Properties"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "811fd012-35a6-4a0c-abce-79fb08b9ab6c"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:37.2595378Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34620448"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.8071361Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622707"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "256e3859-87ca-4b23-b2c0-45a26ccd7925"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.8821342Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622751"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.9571526Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622781"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "a4a12952-3467-4d48-9950-48b4b9ac87b3"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.8821342Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622751"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.9571526Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622781"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "a4a12952-3467-4d48-9950-48b4b9ac87b3"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.8821342Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622751"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.8071361Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622707"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "256e3859-87ca-4b23-b2c0-45a26ccd7925"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"NewValue": "siem2", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.9571526Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622781"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "a4a12952-3467-4d48-9950-48b4b9ac87b3"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.0571467Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622817"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "db3ce560-1c2f-4c85-b305-55ad6476250f"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"NewValue": "", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.0571467Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622817"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "db3ce560-1c2f-4c85-b305-55ad6476250f"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"NewValue": "", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.0571467Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622817"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "db3ce560-1c2f-4c85-b305-55ad6476250f"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.IsAppOnly", "OldValue": "", "NewValue": "False"}, {"Name": "ConsentContext.OnBehalfOfAll", "OldValue": "", "NewValue": "True"}, {"NewValue": "", "OldValue": "", "Name": "ConsentContext.Tags"}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[] => [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.1421458Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622848"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "24524679-8930-4afd-83b8-2dc70aa0a016"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"NewValue": "False", "OldValue": "", "Name": "ConsentContext.IsAppOnly"}, {"Name": "ConsentContext.OnBehalfOfAll", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.Tags", "OldValue": "", "NewValue": ""}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[] => [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.1421458Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622848"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "24524679-8930-4afd-83b8-2dc70aa0a016"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"NewValue": "False", "OldValue": "", "Name": "ConsentContext.IsAppOnly"}, {"NewValue": "True", "OldValue": "", "Name": "ConsentContext.OnBehalfOfAll"}, {"Name": "ConsentContext.Tags", "OldValue": "", "NewValue": ""}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[] => [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.1421458Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622848"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "24524679-8930-4afd-83b8-2dc70aa0a016"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "User.ObjectID", "OldValue": "", "NewValue": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "User.UPN", "OldValue": "", "NewValue": "asr@testsiem.onmicrosoft.com"}, {"Name": "User.PUID", "OldValue": "", "NewValue": "1003200096971F55"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "UserManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "User"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"User.ObjectID\",\"User.UPN\",\"User.PUID\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.1421458Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622843"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment grant to user.", "Id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "User.ObjectID", "OldValue": "", "NewValue": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "User.UPN", "OldValue": "", "NewValue": "asr@testsiem.onmicrosoft.com"}, {"Name": "User.PUID", "OldValue": "", "NewValue": "1003200096971F55"}, {"NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "UserManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "User"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"User.ObjectID\",\"User.UPN\",\"User.PUID\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.1421458Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622843"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment grant to user.", "Id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d"} +{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "User.ObjectID", "OldValue": "", "NewValue": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"NewValue": "asr@testsiem.onmicrosoft.com", "OldValue": "", "Name": "User.UPN"}, {"Name": "User.PUID", "OldValue": "", "NewValue": "1003200096971F55"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "UserManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "User"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"User.ObjectID\",\"User.UPN\",\"User.PUID\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.1421458Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622843"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment grant to user.", "Id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d"} diff --git a/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json b/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json new file mode 100644 index 000000000000..8c4c72334074 --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json @@ -0,0 +1,15239 @@ +[ + { + "@timestamp": "2020-02-09T15:33:26.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "8f6eb24b-6e61-4ee2-a376-31368c300613", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 0, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:33:26", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "528b5206-f6de-4c1f-86db-5f750a9960c9", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR556", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1", + "o365.audit.ExtendedProperties.env_epoch": "31CXC", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "38438635", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:33:26.1037807Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Application", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "o365.audit.ExtendedProperties.targetName": "siem", + "o365.audit.ExtendedProperties.targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "8f6eb24b-6e61-4ee2-a376-31368c300613", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "RequiredResourceAccess", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ObjectId": "Not Available", + "o365.audit.Operation": "Update application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 + }, + { + "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 + }, + { + "ID": "Application", + "Type": 2 + }, + { + "ID": "siem", + "Type": 1 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:33:26.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "8f6eb24b-6e61-4ee2-a376-31368c300613", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 5611, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:33:26", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "528b5206-f6de-4c1f-86db-5f750a9960c9", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR556", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1", + "o365.audit.ExtendedProperties.env_epoch": "31CXC", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "38438635", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:33:26.1037807Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Application", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "o365.audit.ExtendedProperties.targetName": "siem", + "o365.audit.ExtendedProperties.targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "8f6eb24b-6e61-4ee2-a376-31368c300613", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "RequiredResourceAccess", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ObjectId": "Not Available", + "o365.audit.Operation": "Update application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 + }, + { + "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 + }, + { + "ID": "Application", + "Type": 2 + }, + { + "ID": "siem", + "Type": 1 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:33:26.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "8f6eb24b-6e61-4ee2-a376-31368c300613", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 11222, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:33:26", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "528b5206-f6de-4c1f-86db-5f750a9960c9", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR556", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1", + "o365.audit.ExtendedProperties.env_epoch": "31CXC", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "38438635", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:33:26.1037807Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Application", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "o365.audit.ExtendedProperties.targetName": "siem", + "o365.audit.ExtendedProperties.targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "8f6eb24b-6e61-4ee2-a376-31368c300613", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "RequiredResourceAccess", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ObjectId": "Not Available", + "o365.audit.Operation": "Update application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 + }, + { + "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 + }, + { + "ID": "Application", + "Type": 2 + }, + { + "ID": "siem", + "Type": 1 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:33:26.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "b2cc2456-5ac5-4399-b960-82a40036476f", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 16833, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:33:26", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "528b5206-f6de-4c1f-86db-5f750a9960c9", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR556", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1", + "o365.audit.ExtendedProperties.env_epoch": "31CXC", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "38438642", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:33:26.1638042Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem", + "o365.audit.ExtendedProperties.targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ExtendedProperties.targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "b2cc2456-5ac5-4399-b960-82a40036476f", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.Operation": "Update service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 + }, + { + "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem", + "Type": 1 + }, + { + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 2 + }, + { + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:33:26.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "b2cc2456-5ac5-4399-b960-82a40036476f", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 20744, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:33:26", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "528b5206-f6de-4c1f-86db-5f750a9960c9", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR556", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1", + "o365.audit.ExtendedProperties.env_epoch": "31CXC", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "38438642", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:33:26.1638042Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem", + "o365.audit.ExtendedProperties.targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ExtendedProperties.targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "b2cc2456-5ac5-4399-b960-82a40036476f", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.Operation": "Update service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 + }, + { + "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem", + "Type": 1 + }, + { + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 2 + }, + { + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:34:06.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Remove app role assignment from service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "7f09b681-251f-4ff0-97cf-5247891b6981", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 24655, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:34:06", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "ac045271-8d7f-49b2-abc9-5130051d879f", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR556", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407", + "o365.audit.ExtendedProperties.env_epoch": "31CXC", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "38464425", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:34:06.3062012Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "7f09b681-251f-4ff0-97cf-5247891b6981", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Remove app role assignment from service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:34:06.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "d8a2ae24-a752-4f8e-adca-c57189a76a71", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 29810, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:34:06", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "ac045271-8d7f-49b2-abc9-5130051d879f", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR556", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407", + "o365.audit.ExtendedProperties.env_epoch": "31CXC", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "38464434", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:34:06.3062012Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "d8a2ae24-a752-4f8e-adca-c57189a76a71", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:34:06.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Remove app role assignment from service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "7f09b681-251f-4ff0-97cf-5247891b6981", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 35008, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:34:06", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "ac045271-8d7f-49b2-abc9-5130051d879f", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR556", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407", + "o365.audit.ExtendedProperties.env_epoch": "31CXC", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "38464425", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:34:06.3062012Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "7f09b681-251f-4ff0-97cf-5247891b6981", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Remove app role assignment from service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:34:06.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "d8a2ae24-a752-4f8e-adca-c57189a76a71", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 40163, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:34:06", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "ac045271-8d7f-49b2-abc9-5130051d879f", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR556", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407", + "o365.audit.ExtendedProperties.env_epoch": "31CXC", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "38464434", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:34:06.3062012Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "d8a2ae24-a752-4f8e-adca-c57189a76a71", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:34:06.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Remove app role assignment from service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "7f09b681-251f-4ff0-97cf-5247891b6981", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 45361, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:34:06", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "ac045271-8d7f-49b2-abc9-5130051d879f", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR556", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407", + "o365.audit.ExtendedProperties.env_epoch": "31CXC", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "38464425", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:34:06.3062012Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "7f09b681-251f-4ff0-97cf-5247891b6981", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Remove app role assignment from service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:34:47.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "02868191-019a-453a-a3a9-a21f44898778", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 50516, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:34:47", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR568", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", + "o365.audit.ExtendedProperties.env_epoch": "FYE60", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "51372061", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:34:47.4999796Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "02868191-019a-453a-a3a9-a21f44898778", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:34:47.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "02868191-019a-453a-a3a9-a21f44898778", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 55714, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:34:47", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR568", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", + "o365.audit.ExtendedProperties.env_epoch": "FYE60", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "51372061", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:34:47.4999796Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "02868191-019a-453a-a3a9-a21f44898778", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:34:47.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Remove app role assignment from service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 60912, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:34:47", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR568", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", + "o365.audit.ExtendedProperties.env_epoch": "FYE60", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "51372052", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:34:47.4999796Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Remove app role assignment from service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:34:47.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "02868191-019a-453a-a3a9-a21f44898778", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 66067, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:34:47", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR568", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", + "o365.audit.ExtendedProperties.env_epoch": "FYE60", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "51372061", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:34:47.4999796Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "02868191-019a-453a-a3a9-a21f44898778", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:34:47.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Remove app role assignment from service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 71265, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:34:47", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR568", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", + "o365.audit.ExtendedProperties.env_epoch": "FYE60", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "51372052", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:34:47.4999796Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Remove app role assignment from service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:34:47.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Remove app role assignment from service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 76420, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:34:47", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR568", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", + "o365.audit.ExtendedProperties.env_epoch": "FYE60", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "51372052", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:34:47.4999796Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Remove app role assignment from service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:34:47.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "02868191-019a-453a-a3a9-a21f44898778", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 81575, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:34:47", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR568", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", + "o365.audit.ExtendedProperties.env_epoch": "FYE60", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "51372061", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:34:47.4999796Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "02868191-019a-453a-a3a9-a21f44898778", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:34:47.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Remove app role assignment from service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 86773, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:34:47", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR568", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", + "o365.audit.ExtendedProperties.env_epoch": "FYE60", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "51372052", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:34:47.4999796Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Remove app role assignment from service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:34:52.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "fe115c66-3e08-4ab4-8a00-84ae25a59078", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 91928, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:34:52", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "5345f95e-44e0-48fc-823c-8206ff821338", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR565", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b", + "o365.audit.ExtendedProperties.env_epoch": "FQXLK", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "42492828", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:34:52.5873254Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Application", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "o365.audit.ExtendedProperties.targetName": "siem", + "o365.audit.ExtendedProperties.targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "fe115c66-3e08-4ab4-8a00-84ae25a59078", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "RequiredResourceAccess", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ObjectId": "Not Available", + "o365.audit.Operation": "Update application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 + }, + { + "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 + }, + { + "ID": "Application", + "Type": 2 + }, + { + "ID": "siem", + "Type": 1 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:34:52.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "fe115c66-3e08-4ab4-8a00-84ae25a59078", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 97179, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:34:52", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "5345f95e-44e0-48fc-823c-8206ff821338", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR565", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b", + "o365.audit.ExtendedProperties.env_epoch": "FQXLK", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "42492828", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:34:52.5873254Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Application", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "o365.audit.ExtendedProperties.targetName": "siem", + "o365.audit.ExtendedProperties.targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "fe115c66-3e08-4ab4-8a00-84ae25a59078", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "RequiredResourceAccess", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ObjectId": "Not Available", + "o365.audit.Operation": "Update application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 + }, + { + "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 + }, + { + "ID": "Application", + "Type": 2 + }, + { + "ID": "siem", + "Type": 1 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T15:34:52.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "76f9b173-c35c-4dbb-b5f7-64750ae994ce", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 102430, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:34:52", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "5345f95e-44e0-48fc-823c-8206ff821338", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR565", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b", + "o365.audit.ExtendedProperties.env_epoch": "FQXLK", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "42492835", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T15:34:52.6473040Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem", + "o365.audit.ExtendedProperties.targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ExtendedProperties.targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "76f9b173-c35c-4dbb-b5f7-64750ae994ce", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.Operation": "Update service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 + }, + { + "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem", + "Type": 1 + }, + { + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 2 + }, + { + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T18:25:54.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 106341, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T18:25:54", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "51e48c97-80b1-42bb-b732-8b578dfac528", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR575", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c", + "o365.audit.ExtendedProperties.env_epoch": "73AB6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "43793182", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T18:25:54.7174137Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Application", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "o365.audit.ExtendedProperties.targetName": "siem", + "o365.audit.ExtendedProperties.targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "RequiredResourceAccess", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ObjectId": "Not Available", + "o365.audit.Operation": "Update application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 + }, + { + "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 + }, + { + "ID": "Application", + "Type": 2 + }, + { + "ID": "siem", + "Type": 1 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T18:25:54.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 111772, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T18:25:54", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "51e48c97-80b1-42bb-b732-8b578dfac528", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR575", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c", + "o365.audit.ExtendedProperties.env_epoch": "73AB6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "43793182", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T18:25:54.7174137Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Application", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "o365.audit.ExtendedProperties.targetName": "siem", + "o365.audit.ExtendedProperties.targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "RequiredResourceAccess", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ObjectId": "Not Available", + "o365.audit.Operation": "Update application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 + }, + { + "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 + }, + { + "ID": "Application", + "Type": 2 + }, + { + "ID": "siem", + "Type": 1 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T18:25:54.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 117203, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T18:25:54", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "51e48c97-80b1-42bb-b732-8b578dfac528", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR575", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c", + "o365.audit.ExtendedProperties.env_epoch": "73AB6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "43793182", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T18:25:54.7174137Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Application", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "o365.audit.ExtendedProperties.targetName": "siem", + "o365.audit.ExtendedProperties.targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "RequiredResourceAccess", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ObjectId": "Not Available", + "o365.audit.Operation": "Update application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 + }, + { + "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 + }, + { + "ID": "Application", + "Type": 2 + }, + { + "ID": "siem", + "Type": 1 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T18:25:54.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "606ae654-e71e-4a6b-a07c-85acd775667b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 122634, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T18:25:54", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "51e48c97-80b1-42bb-b732-8b578dfac528", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR575", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c", + "o365.audit.ExtendedProperties.env_epoch": "73AB6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "43793206", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T18:25:54.7823970Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem", + "o365.audit.ExtendedProperties.targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ExtendedProperties.targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "606ae654-e71e-4a6b-a07c-85acd775667b", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.Operation": "Update service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 + }, + { + "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem", + "Type": 1 + }, + { + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 2 + }, + { + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T18:26:05.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 126545, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T18:26:05", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR530", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", + "o365.audit.ExtendedProperties.env_epoch": "0871Y", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "46795815", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T18:26:05.9242333Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T18:26:05.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 131695, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T18:26:05", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR530", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", + "o365.audit.ExtendedProperties.env_epoch": "0871Y", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "46795878", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T18:26:05.9992570Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T18:26:05.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 136845, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T18:26:05", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR530", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", + "o365.audit.ExtendedProperties.env_epoch": "0871Y", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "46795815", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T18:26:05.9242333Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T18:26:05.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 141995, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T18:26:05", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR530", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", + "o365.audit.ExtendedProperties.env_epoch": "0871Y", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "46795878", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T18:26:05.9992570Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T18:26:05.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 147145, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T18:26:05", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR530", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", + "o365.audit.ExtendedProperties.env_epoch": "0871Y", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "46795815", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T18:26:05.9242333Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T18:26:05.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 152295, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T18:26:05", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR530", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", + "o365.audit.ExtendedProperties.env_epoch": "0871Y", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "46795878", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T18:26:05.9992570Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T18:26:05.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 157445, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T18:26:05", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR530", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", + "o365.audit.ExtendedProperties.env_epoch": "0871Y", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "46795878", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T18:26:05.9992570Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T18:26:05.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 162595, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T18:26:05", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR530", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", + "o365.audit.ExtendedProperties.env_epoch": "0871Y", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "46795815", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T18:26:05.9242333Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T18:26:06.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Consent to application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "821dc03c-4e38-4cd1-82b2-3155b41b4418", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 167745, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T18:26:06", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR530", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", + "o365.audit.ExtendedProperties.env_epoch": "0871Y", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "46795893", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T18:26:06.0142481Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem", + "o365.audit.ExtendedProperties.targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ExtendedProperties.targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "821dc03c-4e38-4cd1-82b2-3155b41b4418", + "o365.audit.ModifiedProperties.ConsentAction_Permissions.NewValue": "[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] => [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; ", + "o365.audit.ModifiedProperties.ConsentAction_Permissions.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_IsAdminConsent.NewValue": "True", + "o365.audit.ModifiedProperties.ConsentContext_IsAdminConsent.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_IsAppOnly.NewValue": "False", + "o365.audit.ModifiedProperties.ConsentContext_IsAppOnly.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_OnBehalfOfAll.NewValue": "True", + "o365.audit.ModifiedProperties.ConsentContext_OnBehalfOfAll.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_Tags.NewValue": "", + "o365.audit.ModifiedProperties.ConsentContext_Tags.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.Operation": "Consent to application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 + }, + { + "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem", + "Type": 1 + }, + { + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 2 + }, + { + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-09T18:26:06.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Consent to application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "821dc03c-4e38-4cd1-82b2-3155b41b4418", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 172525, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T18:26:06", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR530", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", + "o365.audit.ExtendedProperties.env_epoch": "0871Y", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "46795893", + "o365.audit.ExtendedProperties.env_time": "2020-02-09T18:26:06.0142481Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem", + "o365.audit.ExtendedProperties.targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ExtendedProperties.targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "821dc03c-4e38-4cd1-82b2-3155b41b4418", + "o365.audit.ModifiedProperties.ConsentAction_Permissions.NewValue": "[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] => [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; ", + "o365.audit.ModifiedProperties.ConsentAction_Permissions.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_IsAdminConsent.NewValue": "True", + "o365.audit.ModifiedProperties.ConsentContext_IsAdminConsent.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_IsAppOnly.NewValue": "False", + "o365.audit.ModifiedProperties.ConsentContext_IsAppOnly.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_OnBehalfOfAll.NewValue": "True", + "o365.audit.ModifiedProperties.ConsentContext_OnBehalfOfAll.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_Tags.NewValue": "", + "o365.audit.ModifiedProperties.ConsentContext_Tags.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.Operation": "Consent to application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 + }, + { + "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem", + "Type": 1 + }, + { + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 2 + }, + { + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:15:04.000Z", + "event.action": "Update user.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "83c924c1-f2e2-4b39-8eda-b80c3823a875", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 177305, + "o365.audit.Actor": [ + { + "ID": "fim_password_service@support.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "100300008060F582", + "Type": 3 + }, + { + "ID": "User_00000000-0000-0000-0000-000000000000", + "Type": 2 + }, + { + "ID": "00000000-0000-0000-0000-000000000000", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "d51ef8df-6617-4356-b8d4-89ad7efef31e", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.CreationTime": "2020-02-10T15:15:04", + "o365.audit.ExtendedProperties.actorContextId": "d51ef8df-6617-4356-b8d4-89ad7efef31e", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "00000000-0000-0000-0000-000000000000", + "o365.audit.ExtendedProperties.actorPUID": "100300008060F582", + "o365.audit.ExtendedProperties.actorUPN": "fim_password_service@support.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"UserType\":\"Member\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "UserManagement", + "o365.audit.ExtendedProperties.correlationId": "4aa56c6c-8fa5-4787-a165-03f181541438", + "o365.audit.ExtendedProperties.env_appId": "becwebservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "becwebservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RBWSR554", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000", + "o365.audit.ExtendedProperties.env_epoch": "4QPHR", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "87075075", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:15:04.2043419Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "User", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"StrongAuthenticationPhoneAppDetail\",\"TargetId.UserType\"]", + "o365.audit.ExtendedProperties.targetObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.targetPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.targetUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "83c924c1-f2e2-4b39-8eda-b80c3823a875", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "StrongAuthenticationPhoneAppDetail", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_UserType.NewValue": "Member", + "o365.audit.ModifiedProperties.TargetId_UserType.OldValue": "", + "o365.audit.ObjectId": "asr@testsiem.onmicrosoft.com", + "o365.audit.Operation": "Update user.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "fim_password_service@support.onmicrosoft.com", + "o365.audit.UserKey": "100300008060F582@support.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.user": "fim_password_service", + "service.type": "o365", + "user.domain": "support.onmicrosoft.com", + "user.id": "fim_password_service@support.onmicrosoft.com", + "user.name": "fim_password_service" + }, + { + "@timestamp": "2020-02-10T15:16:18.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Remove OAuth2PermissionGrant.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "ec6ba716-ec04-460a-8d9e-661d732c4689", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 181962, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:16:18", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "2e358876-29c8-45b5-8dba-e233cf769988", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR581", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0", + "o365.audit.ExtendedProperties.env_epoch": "Z4XUI", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "43649666", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:16:18.9844570Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Microsoft Graph", + "o365.audit.ExtendedProperties.targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "o365.audit.ExtendedProperties.targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "ec6ba716-ec04-460a-8d9e-661d732c4689", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.Operation": "Remove OAuth2PermissionGrant.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Microsoft Graph", + "Type": 1 + }, + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 + }, + { + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:16:18.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Remove OAuth2PermissionGrant.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "ec6ba716-ec04-460a-8d9e-661d732c4689", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 187354, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:16:18", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "2e358876-29c8-45b5-8dba-e233cf769988", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR581", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0", + "o365.audit.ExtendedProperties.env_epoch": "Z4XUI", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "43649666", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:16:18.9844570Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Microsoft Graph", + "o365.audit.ExtendedProperties.targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "o365.audit.ExtendedProperties.targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "ec6ba716-ec04-460a-8d9e-661d732c4689", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.Operation": "Remove OAuth2PermissionGrant.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Microsoft Graph", + "Type": 1 + }, + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 + }, + { + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:16:18.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Remove OAuth2PermissionGrant.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "ec6ba716-ec04-460a-8d9e-661d732c4689", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 192746, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:16:18", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "2e358876-29c8-45b5-8dba-e233cf769988", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR581", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0", + "o365.audit.ExtendedProperties.env_epoch": "Z4XUI", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "43649666", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:16:18.9844570Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Microsoft Graph", + "o365.audit.ExtendedProperties.targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "o365.audit.ExtendedProperties.targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "ec6ba716-ec04-460a-8d9e-661d732c4689", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.Operation": "Remove OAuth2PermissionGrant.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Microsoft Graph", + "Type": 1 + }, + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 + }, + { + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:17:00.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Remove app role assignment from service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "31d7436e-85aa-4aee-a945-6a0ff51ea975", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 198138, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:17:00", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "b2484c3c-5461-43ab-850b-70fccf706796", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR551", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776", + "o365.audit.ExtendedProperties.env_epoch": "OLE3R", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "55908032", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:17:00.2133065Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "31d7436e-85aa-4aee-a945-6a0ff51ea975", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Remove app role assignment from service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:17:00.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 203293, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:17:00", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "b2484c3c-5461-43ab-850b-70fccf706796", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR551", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776", + "o365.audit.ExtendedProperties.env_epoch": "OLE3R", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "55908041", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:17:00.2133065Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:17:00.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Remove app role assignment from service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "31d7436e-85aa-4aee-a945-6a0ff51ea975", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 208491, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:17:00", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "b2484c3c-5461-43ab-850b-70fccf706796", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR551", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776", + "o365.audit.ExtendedProperties.env_epoch": "OLE3R", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "55908032", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:17:00.2133065Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "31d7436e-85aa-4aee-a945-6a0ff51ea975", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Remove app role assignment from service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:17:00.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 213646, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:17:00", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "b2484c3c-5461-43ab-850b-70fccf706796", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR551", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776", + "o365.audit.ExtendedProperties.env_epoch": "OLE3R", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "55908041", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:17:00.2133065Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:17:00.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 218844, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:17:00", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "b2484c3c-5461-43ab-850b-70fccf706796", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR551", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776", + "o365.audit.ExtendedProperties.env_epoch": "OLE3R", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "55908041", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:17:00.2133065Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:17:45.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Remove app role assignment from service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 224042, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:17:45", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "2f79971d-1802-40d2-b048-6cf4f85c010b", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR519", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c", + "o365.audit.ExtendedProperties.env_epoch": "95CEL", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "44735117", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:17:45.3474390Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Remove app role assignment from service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:17:45.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 229197, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:17:45", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "2f79971d-1802-40d2-b048-6cf4f85c010b", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR519", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c", + "o365.audit.ExtendedProperties.env_epoch": "95CEL", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "44735126", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:17:45.3474390Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:17:45.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 234395, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:17:45", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "2f79971d-1802-40d2-b048-6cf4f85c010b", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR519", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c", + "o365.audit.ExtendedProperties.env_epoch": "95CEL", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "44735126", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:17:45.3474390Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:17:45.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Remove app role assignment from service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 239593, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:17:45", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "2f79971d-1802-40d2-b048-6cf4f85c010b", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR519", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c", + "o365.audit.ExtendedProperties.env_epoch": "95CEL", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "44735117", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:17:45.3474390Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Remove app role assignment from service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:17:45.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Remove app role assignment from service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 244748, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:17:45", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "2f79971d-1802-40d2-b048-6cf4f85c010b", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR519", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c", + "o365.audit.ExtendedProperties.env_epoch": "95CEL", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "44735117", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:17:45.3474390Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Remove app role assignment from service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:17:45.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 249903, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:17:45", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "2f79971d-1802-40d2-b048-6cf4f85c010b", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR519", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c", + "o365.audit.ExtendedProperties.env_epoch": "95CEL", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "44735126", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:17:45.3474390Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:17:45.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 255101, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:17:45", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "2f79971d-1802-40d2-b048-6cf4f85c010b", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR519", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c", + "o365.audit.ExtendedProperties.env_epoch": "95CEL", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "44735126", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:17:45.3474390Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:30:06.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Consent to application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "0031778a-80cf-49f8-aea2-f798c9bf1ec9", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 260299, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:30:06", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR57", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", + "o365.audit.ExtendedProperties.env_epoch": "38FW7", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "43118027", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:30:06.3393756Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem", + "o365.audit.ExtendedProperties.targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ExtendedProperties.targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "0031778a-80cf-49f8-aea2-f798c9bf1ec9", + "o365.audit.ModifiedProperties.ConsentAction_Permissions.NewValue": "[] => [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; ", + "o365.audit.ModifiedProperties.ConsentAction_Permissions.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_IsAdminConsent.NewValue": "True", + "o365.audit.ModifiedProperties.ConsentContext_IsAdminConsent.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_IsAppOnly.NewValue": "False", + "o365.audit.ModifiedProperties.ConsentContext_IsAppOnly.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_OnBehalfOfAll.NewValue": "True", + "o365.audit.ModifiedProperties.ConsentContext_OnBehalfOfAll.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_Tags.NewValue": "", + "o365.audit.ModifiedProperties.ConsentContext_Tags.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.Operation": "Consent to application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 + }, + { + "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem", + "Type": 1 + }, + { + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 2 + }, + { + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:30:06.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Consent to application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "0031778a-80cf-49f8-aea2-f798c9bf1ec9", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 264870, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:30:06", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR57", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", + "o365.audit.ExtendedProperties.env_epoch": "38FW7", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "43118027", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:30:06.3393756Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem", + "o365.audit.ExtendedProperties.targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ExtendedProperties.targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "0031778a-80cf-49f8-aea2-f798c9bf1ec9", + "o365.audit.ModifiedProperties.ConsentAction_Permissions.NewValue": "[] => [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; ", + "o365.audit.ModifiedProperties.ConsentAction_Permissions.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_IsAdminConsent.NewValue": "True", + "o365.audit.ModifiedProperties.ConsentContext_IsAdminConsent.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_IsAppOnly.NewValue": "False", + "o365.audit.ModifiedProperties.ConsentContext_IsAppOnly.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_OnBehalfOfAll.NewValue": "True", + "o365.audit.ModifiedProperties.ConsentContext_OnBehalfOfAll.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_Tags.NewValue": "", + "o365.audit.ModifiedProperties.ConsentContext_Tags.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.Operation": "Consent to application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 + }, + { + "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem", + "Type": 1 + }, + { + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 2 + }, + { + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:30:06.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add OAuth2PermissionGrant.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 269441, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:30:06", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR57", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", + "o365.audit.ExtendedProperties.env_epoch": "38FW7", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "43118019", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:30:06.3343965Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Microsoft Graph", + "o365.audit.ExtendedProperties.targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "o365.audit.ExtendedProperties.targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.Operation": "Add OAuth2PermissionGrant.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Microsoft Graph", + "Type": 1 + }, + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 + }, + { + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:30:06.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add OAuth2PermissionGrant.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 274829, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:30:06", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR57", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", + "o365.audit.ExtendedProperties.env_epoch": "38FW7", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "43118019", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:30:06.3343965Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Microsoft Graph", + "o365.audit.ExtendedProperties.targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "o365.audit.ExtendedProperties.targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.Operation": "Add OAuth2PermissionGrant.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Microsoft Graph", + "Type": 1 + }, + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 + }, + { + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:30:06.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add OAuth2PermissionGrant.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 280217, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:30:06", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR57", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", + "o365.audit.ExtendedProperties.env_epoch": "38FW7", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "43118019", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:30:06.3343965Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Microsoft Graph", + "o365.audit.ExtendedProperties.targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "o365.audit.ExtendedProperties.targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.Operation": "Add OAuth2PermissionGrant.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Microsoft Graph", + "Type": 1 + }, + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 + }, + { + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:30:06.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add OAuth2PermissionGrant.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 285605, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:30:06", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR57", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", + "o365.audit.ExtendedProperties.env_epoch": "38FW7", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "43118019", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:30:06.3343965Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Microsoft Graph", + "o365.audit.ExtendedProperties.targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "o365.audit.ExtendedProperties.targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.Operation": "Add OAuth2PermissionGrant.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Microsoft Graph", + "Type": 1 + }, + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 + }, + { + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:30:06.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 290993, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:30:06", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR57", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", + "o365.audit.ExtendedProperties.env_epoch": "38FW7", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "43117912", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:30:06.1843731Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:30:06.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "a73c1c7e-5591-4912-94cc-527ad6f48ed8", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 296142, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:30:06", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR57", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", + "o365.audit.ExtendedProperties.env_epoch": "38FW7", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "43117959", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:30:06.2593808Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "a73c1c7e-5591-4912-94cc-527ad6f48ed8", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:30:06.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "a73c1c7e-5591-4912-94cc-527ad6f48ed8", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 301291, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:30:06", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR57", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", + "o365.audit.ExtendedProperties.env_epoch": "38FW7", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "43117959", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:30:06.2593808Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "a73c1c7e-5591-4912-94cc-527ad6f48ed8", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:30:06.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 306440, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:30:06", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR57", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", + "o365.audit.ExtendedProperties.env_epoch": "38FW7", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "43117912", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:30:06.1843731Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-10T15:30:06.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 311589, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:30:06", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR57", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", + "o365.audit.ExtendedProperties.env_epoch": "38FW7", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "43117912", + "o365.audit.ExtendedProperties.env_time": "2020-02-10T15:30:06.1843731Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:36:30.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "689aaff0-b34f-4077-9244-0563b9f9c03b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 316738, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:36:30", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "484659af-7387-4b77-b889-c4d2a8060004", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR521", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9", + "o365.audit.ExtendedProperties.env_epoch": "SDA9U", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "41554400", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:36:30.6833528Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Application", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "689aaff0-b34f-4077-9244-0563b9f9c03b", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ObjectId": "Not Available", + "o365.audit.Operation": "Add application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "Application", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:36:30.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "689aaff0-b34f-4077-9244-0563b9f9c03b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 321131, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:36:30", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "484659af-7387-4b77-b889-c4d2a8060004", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR521", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9", + "o365.audit.ExtendedProperties.env_epoch": "SDA9U", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "41554400", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:36:30.6833528Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Application", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "689aaff0-b34f-4077-9244-0563b9f9c03b", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ObjectId": "Not Available", + "o365.audit.Operation": "Add application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "Application", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:36:30.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "689aaff0-b34f-4077-9244-0563b9f9c03b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 325524, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:36:30", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "484659af-7387-4b77-b889-c4d2a8060004", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR521", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9", + "o365.audit.ExtendedProperties.env_epoch": "SDA9U", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "41554400", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:36:30.6833528Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Application", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "689aaff0-b34f-4077-9244-0563b9f9c03b", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ObjectId": "Not Available", + "o365.audit.Operation": "Add application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "Application", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:36:30.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "689aaff0-b34f-4077-9244-0563b9f9c03b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 329917, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:36:30", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "484659af-7387-4b77-b889-c4d2a8060004", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR521", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9", + "o365.audit.ExtendedProperties.env_epoch": "SDA9U", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "41554400", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:36:30.6833528Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Application", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "689aaff0-b34f-4077-9244-0563b9f9c03b", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ObjectId": "Not Available", + "o365.audit.Operation": "Add application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "Application", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:36:30.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add owner to application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "ccbe264f-f6bc-42bd-b5b6-2893ce2f465f", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 334310, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:36:30", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"Application\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "484659af-7387-4b77-b889-c4d2a8060004", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR521", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9", + "o365.audit.ExtendedProperties.env_epoch": "SDA9U", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "41554439", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:36:30.7383513Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Application", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"Application.ObjectID\",\"Application.DisplayName\",\"Application.AppId\"]", + "o365.audit.ExtendedProperties.targetObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.targetPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.targetUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "ccbe264f-f6bc-42bd-b5b6-2893ce2f465f", + "o365.audit.ModifiedProperties.Application_AppId.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.Application_AppId.OldValue": "", + "o365.audit.ModifiedProperties.Application_DisplayName.NewValue": "siem2", + "o365.audit.ModifiedProperties.Application_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.Application_ObjectID.NewValue": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "o365.audit.ModifiedProperties.Application_ObjectID.OldValue": "", + "o365.audit.ObjectId": "asr@testsiem.onmicrosoft.com", + "o365.audit.Operation": "Add owner to application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:36:31.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "48403af8-b712-4e63-a999-686b631240ac", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 338473, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:36:31", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "381d015d-6660-4dce-af99-4cd8c3b61d4d", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR568", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168", + "o365.audit.ExtendedProperties.env_epoch": "NNJOH", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "39121960", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:36:31.1327910Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ExtendedProperties.targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "48403af8-b712-4e63-a999-686b631240ac", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.Operation": "Add service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:36:31.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "48403af8-b712-4e63-a999-686b631240ac", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 343183, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:36:31", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "381d015d-6660-4dce-af99-4cd8c3b61d4d", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR568", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168", + "o365.audit.ExtendedProperties.env_epoch": "NNJOH", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "39121960", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:36:31.1327910Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ExtendedProperties.targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "48403af8-b712-4e63-a999-686b631240ac", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.Operation": "Add service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:36:31.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "48403af8-b712-4e63-a999-686b631240ac", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 347893, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:36:31", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "381d015d-6660-4dce-af99-4cd8c3b61d4d", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR568", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168", + "o365.audit.ExtendedProperties.env_epoch": "NNJOH", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "39121960", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:36:31.1327910Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ExtendedProperties.targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "48403af8-b712-4e63-a999-686b631240ac", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.Operation": "Add service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:36:31.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "48403af8-b712-4e63-a999-686b631240ac", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 352603, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:36:31", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "381d015d-6660-4dce-af99-4cd8c3b61d4d", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR568", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168", + "o365.audit.ExtendedProperties.env_epoch": "NNJOH", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "39121960", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:36:31.1327910Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ExtendedProperties.targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "48403af8-b712-4e63-a999-686b631240ac", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.Operation": "Add service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:42:45.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "aaa361ac-50e8-43f4-9aaf-c19c09e3e3bc", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 357313, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:42:45", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "531446ed-abd2-468f-96a8-a4dcc7b05168", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR559", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be", + "o365.audit.ExtendedProperties.env_epoch": "VYXPT", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "45826392", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:42:45.0442303Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Application", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "aaa361ac-50e8-43f4-9aaf-c19c09e3e3bc", + "o365.audit.ObjectId": "Not Available", + "o365.audit.Operation": "Update application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "Application", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:42:45.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update application \u2013 Certificates and secrets management ", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "20a82fa1-625b-491a-a3e8-54d779a9b17e", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 360775, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:42:45", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "531446ed-abd2-468f-96a8-a4dcc7b05168", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR559", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be", + "o365.audit.ExtendedProperties.env_epoch": "VYXPT", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "45826385", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:42:45.0442303Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Application", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"KeyDescription\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "20a82fa1-625b-491a-a3e8-54d779a9b17e", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "KeyDescription", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ObjectId": "Not Available", + "o365.audit.Operation": "Update application \u2013 Certificates and secrets management ", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "Application", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:42:45.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update application \u2013 Certificates and secrets management ", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "20a82fa1-625b-491a-a3e8-54d779a9b17e", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 364657, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:42:45", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "531446ed-abd2-468f-96a8-a4dcc7b05168", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR559", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be", + "o365.audit.ExtendedProperties.env_epoch": "VYXPT", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "45826385", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:42:45.0442303Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Application", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"KeyDescription\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "20a82fa1-625b-491a-a3e8-54d779a9b17e", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "KeyDescription", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ObjectId": "Not Available", + "o365.audit.Operation": "Update application \u2013 Certificates and secrets management ", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "Application", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:42:45.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "15adbe69-7974-41ec-8341-208456600ad3", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 368539, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:42:45", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "531446ed-abd2-468f-96a8-a4dcc7b05168", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR559", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be", + "o365.audit.ExtendedProperties.env_epoch": "VYXPT", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "45826464", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:42:45.1042022Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ExtendedProperties.targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "15adbe69-7974-41ec-8341-208456600ad3", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.Operation": "Update service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:42:45.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "15adbe69-7974-41ec-8341-208456600ad3", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 372452, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:42:45", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "531446ed-abd2-468f-96a8-a4dcc7b05168", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR559", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be", + "o365.audit.ExtendedProperties.env_epoch": "VYXPT", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "45826464", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:42:45.1042022Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ExtendedProperties.targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "15adbe69-7974-41ec-8341-208456600ad3", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.Operation": "Update service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:42:45.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "15adbe69-7974-41ec-8341-208456600ad3", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 376365, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:42:45", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "531446ed-abd2-468f-96a8-a4dcc7b05168", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR559", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be", + "o365.audit.ExtendedProperties.env_epoch": "VYXPT", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "45826464", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:42:45.1042022Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ExtendedProperties.targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "15adbe69-7974-41ec-8341-208456600ad3", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.Operation": "Update service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:37.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "d23b201c-5436-4ecc-a789-18d3f00ea76c", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 380278, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:37", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "811fd012-35a6-4a0c-abce-79fb08b9ab6c", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34620418", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:37.2045249Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Application", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "d23b201c-5436-4ecc-a789-18d3f00ea76c", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "RequiredResourceAccess", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ObjectId": "Not Available", + "o365.audit.Operation": "Update application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "Application", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:37.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "d23b201c-5436-4ecc-a789-18d3f00ea76c", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 385372, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:37", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "811fd012-35a6-4a0c-abce-79fb08b9ab6c", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34620418", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:37.2045249Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Application", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "d23b201c-5436-4ecc-a789-18d3f00ea76c", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "RequiredResourceAccess", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ObjectId": "Not Available", + "o365.audit.Operation": "Update application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "Application", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:37.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "d23b201c-5436-4ecc-a789-18d3f00ea76c", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 390466, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:37", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "811fd012-35a6-4a0c-abce-79fb08b9ab6c", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34620418", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:37.2045249Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Application", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "d23b201c-5436-4ecc-a789-18d3f00ea76c", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "RequiredResourceAccess", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ObjectId": "Not Available", + "o365.audit.Operation": "Update application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 + }, + { + "ID": "Application", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:37.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 395560, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:37", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "811fd012-35a6-4a0c-abce-79fb08b9ab6c", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34620448", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:37.2595378Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ExtendedProperties.targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.Operation": "Update service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:37.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 399473, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:37", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "811fd012-35a6-4a0c-abce-79fb08b9ab6c", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34620448", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:37.2595378Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ExtendedProperties.targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.Operation": "Update service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:37.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Update service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 403386, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:37", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "811fd012-35a6-4a0c-abce-79fb08b9ab6c", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34620448", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:37.2595378Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ExtendedProperties.targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25", + "o365.audit.ModifiedProperties.Included_Updated_Properties.NewValue": "", + "o365.audit.ModifiedProperties.Included_Updated_Properties.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.Operation": "Update service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:41.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "256e3859-87ca-4b23-b2c0-45a26ccd7925", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 407299, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:41", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34622707", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:41.8071361Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "256e3859-87ca-4b23-b2c0-45a26ccd7925", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem2", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:41.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 412451, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:41", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34622751", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:41.8821342Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem2", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:41.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "a4a12952-3467-4d48-9950-48b4b9ac87b3", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 417603, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:41", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34622781", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:41.9571526Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "a4a12952-3467-4d48-9950-48b4b9ac87b3", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem2", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:41.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 422755, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:41", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34622751", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:41.8821342Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem2", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:41.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "a4a12952-3467-4d48-9950-48b4b9ac87b3", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 427907, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:41", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34622781", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:41.9571526Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "a4a12952-3467-4d48-9950-48b4b9ac87b3", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem2", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:41.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 433059, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:41", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34622751", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:41.8821342Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem2", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:41.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "256e3859-87ca-4b23-b2c0-45a26ccd7925", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 438211, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:41", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34622707", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:41.8071361Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "256e3859-87ca-4b23-b2c0-45a26ccd7925", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem2", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:41.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment to service principal.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "a4a12952-3467-4d48-9950-48b4b9ac87b3", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 443363, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:41", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34622781", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:41.9571526Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Office 365 Management APIs", + "o365.audit.ExtendedProperties.targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "o365.audit.ExtendedProperties.targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "a4a12952-3467-4d48-9950-48b4b9ac87b3", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "siem2", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "o365.audit.Operation": "Add app role assignment to service principal.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Office 365 Management APIs", + "Type": 1 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 + }, + { + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:42.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add OAuth2PermissionGrant.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "db3ce560-1c2f-4c85-b305-55ad6476250f", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 448515, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:42", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34622817", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:42.0571467Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Microsoft Graph", + "o365.audit.ExtendedProperties.targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "o365.audit.ExtendedProperties.targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "db3ce560-1c2f-4c85-b305-55ad6476250f", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.Operation": "Add OAuth2PermissionGrant.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Microsoft Graph", + "Type": 1 + }, + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 + }, + { + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:42.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add OAuth2PermissionGrant.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "db3ce560-1c2f-4c85-b305-55ad6476250f", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 453904, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:42", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34622817", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:42.0571467Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Microsoft Graph", + "o365.audit.ExtendedProperties.targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "o365.audit.ExtendedProperties.targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "db3ce560-1c2f-4c85-b305-55ad6476250f", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.Operation": "Add OAuth2PermissionGrant.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Microsoft Graph", + "Type": 1 + }, + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 + }, + { + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:42.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add OAuth2PermissionGrant.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "db3ce560-1c2f-4c85-b305-55ad6476250f", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 459293, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:42", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34622817", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:42.0571467Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "Microsoft Graph", + "o365.audit.ExtendedProperties.targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "o365.audit.ExtendedProperties.targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "db3ce560-1c2f-4c85-b305-55ad6476250f", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_AppId.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_DisplayName.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.NewValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_Name.OldValue": "", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ModifiedProperties.ServicePrincipal_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "o365.audit.Operation": "Add OAuth2PermissionGrant.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "Microsoft Graph", + "Type": 1 + }, + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 + }, + { + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:42.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Consent to application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "24524679-8930-4afd-83b8-2dc70aa0a016", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 464682, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:42", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34622848", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:42.1421458Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ExtendedProperties.targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "24524679-8930-4afd-83b8-2dc70aa0a016", + "o365.audit.ModifiedProperties.ConsentAction_Permissions.NewValue": "[] => [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; ", + "o365.audit.ModifiedProperties.ConsentAction_Permissions.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_IsAdminConsent.NewValue": "True", + "o365.audit.ModifiedProperties.ConsentContext_IsAdminConsent.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_IsAppOnly.NewValue": "False", + "o365.audit.ModifiedProperties.ConsentContext_IsAppOnly.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_OnBehalfOfAll.NewValue": "True", + "o365.audit.ModifiedProperties.ConsentContext_OnBehalfOfAll.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_Tags.NewValue": "", + "o365.audit.ModifiedProperties.ConsentContext_Tags.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.Operation": "Consent to application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:42.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Consent to application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "24524679-8930-4afd-83b8-2dc70aa0a016", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 469256, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:42", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34622848", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:42.1421458Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ExtendedProperties.targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "24524679-8930-4afd-83b8-2dc70aa0a016", + "o365.audit.ModifiedProperties.ConsentAction_Permissions.NewValue": "[] => [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; ", + "o365.audit.ModifiedProperties.ConsentAction_Permissions.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_IsAdminConsent.NewValue": "True", + "o365.audit.ModifiedProperties.ConsentContext_IsAdminConsent.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_IsAppOnly.NewValue": "False", + "o365.audit.ModifiedProperties.ConsentContext_IsAppOnly.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_OnBehalfOfAll.NewValue": "True", + "o365.audit.ModifiedProperties.ConsentContext_OnBehalfOfAll.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_Tags.NewValue": "", + "o365.audit.ModifiedProperties.ConsentContext_Tags.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.Operation": "Consent to application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:42.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Consent to application.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "24524679-8930-4afd-83b8-2dc70aa0a016", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 473830, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:42", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.auditEventCategory": "ApplicationManagement", + "o365.audit.ExtendedProperties.correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34622848", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:42.1421458Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "ServicePrincipal", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ExtendedProperties.targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "24524679-8930-4afd-83b8-2dc70aa0a016", + "o365.audit.ModifiedProperties.ConsentAction_Permissions.NewValue": "[] => [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; ", + "o365.audit.ModifiedProperties.ConsentAction_Permissions.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_IsAdminConsent.NewValue": "True", + "o365.audit.ModifiedProperties.ConsentContext_IsAdminConsent.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_IsAppOnly.NewValue": "False", + "o365.audit.ModifiedProperties.ConsentContext_IsAppOnly.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_OnBehalfOfAll.NewValue": "True", + "o365.audit.ModifiedProperties.ConsentContext_OnBehalfOfAll.OldValue": "", + "o365.audit.ModifiedProperties.ConsentContext_Tags.NewValue": "", + "o365.audit.ModifiedProperties.ConsentContext_Tags.OldValue": "", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.Operation": "Consent to application.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:42.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment grant to user.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 478404, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:42", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "UserManagement", + "o365.audit.ExtendedProperties.correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34622843", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:42.1421458Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "User", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"User.ObjectID\",\"User.UPN\",\"User.PUID\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ExtendedProperties.targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ModifiedProperties.User_ObjectID.NewValue": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ModifiedProperties.User_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.User_PUID.NewValue": "1003200096971F55", + "o365.audit.ModifiedProperties.User_PUID.OldValue": "", + "o365.audit.ModifiedProperties.User_UPN.NewValue": "asr@testsiem.onmicrosoft.com", + "o365.audit.ModifiedProperties.User_UPN.OldValue": "", + "o365.audit.ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.Operation": "Add app role assignment grant to user.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:42.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment grant to user.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 482728, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:42", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "UserManagement", + "o365.audit.ExtendedProperties.correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34622843", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:42.1421458Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "User", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"User.ObjectID\",\"User.UPN\",\"User.PUID\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ExtendedProperties.targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ModifiedProperties.User_ObjectID.NewValue": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ModifiedProperties.User_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.User_PUID.NewValue": "1003200096971F55", + "o365.audit.ModifiedProperties.User_PUID.OldValue": "", + "o365.audit.ModifiedProperties.User_UPN.NewValue": "asr@testsiem.onmicrosoft.com", + "o365.audit.ModifiedProperties.User_UPN.OldValue": "", + "o365.audit.ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.Operation": "Add app role assignment grant to user.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-11T16:45:42.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "Add app role assignment grant to user.", + "event.category": "web", + "event.code": "AzureActiveDirectory", + "event.dataset": "o365.audit", + "event.id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 487052, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:45:42", + "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.actorObjectClass": "User", + "o365.audit.ExtendedProperties.actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ExtendedProperties.actorPUID": "1003200096971F55", + "o365.audit.ExtendedProperties.actorUPN": "asr@testsiem.onmicrosoft.com", + "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "o365.audit.ExtendedProperties.additionalTargets": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]", + "o365.audit.ExtendedProperties.auditEventCategory": "UserManagement", + "o365.audit.ExtendedProperties.correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "o365.audit.ExtendedProperties.env_appId": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_appVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_deploymentUnit": "R5", + "o365.audit.ExtendedProperties.env_cloud_environment": "PROD", + "o365.audit.ExtendedProperties.env_cloud_name": "MSO-AM5R", + "o365.audit.ExtendedProperties.env_cloud_role": "restdirectoryservice", + "o365.audit.ExtendedProperties.env_cloud_roleInstance": "AM5RRDSR571", + "o365.audit.ExtendedProperties.env_cloud_roleVer": "1.0.11737.0", + "o365.audit.ExtendedProperties.env_cloud_ver": "1.0", + "o365.audit.ExtendedProperties.env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "o365.audit.ExtendedProperties.env_epoch": "748B6", + "o365.audit.ExtendedProperties.env_flags": "257", + "o365.audit.ExtendedProperties.env_iKey": "ikey", + "o365.audit.ExtendedProperties.env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "o365.audit.ExtendedProperties.env_os": "", + "o365.audit.ExtendedProperties.env_osVer": "", + "o365.audit.ExtendedProperties.env_popSample": "0", + "o365.audit.ExtendedProperties.env_seqNum": "34622843", + "o365.audit.ExtendedProperties.env_time": "2020-02-11T16:45:42.1421458Z", + "o365.audit.ExtendedProperties.env_ver": "2.1", + "o365.audit.ExtendedProperties.extendedAuditEventCategory": "User", + "o365.audit.ExtendedProperties.nCloud": "", + "o365.audit.ExtendedProperties.resultType": "Success", + "o365.audit.ExtendedProperties.targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ExtendedProperties.targetIncludedUpdatedProperties": "[\"User.ObjectID\",\"User.UPN\",\"User.PUID\",\"TargetId.ServicePrincipalNames\"]", + "o365.audit.ExtendedProperties.targetName": "siem2", + "o365.audit.ExtendedProperties.targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "o365.audit.ExtendedProperties.targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ExtendedProperties.teamName": "MSODS.", + "o365.audit.ExtendedProperties.version": "2", + "o365.audit.Id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.ModifiedProperties.TargetId_ServicePrincipalNames.OldValue": "", + "o365.audit.ModifiedProperties.User_ObjectID.NewValue": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.ModifiedProperties.User_ObjectID.OldValue": "", + "o365.audit.ModifiedProperties.User_PUID.NewValue": "1003200096971F55", + "o365.audit.ModifiedProperties.User_PUID.OldValue": "", + "o365.audit.ModifiedProperties.User_UPN.NewValue": "asr@testsiem.onmicrosoft.com", + "o365.audit.ModifiedProperties.User_UPN.OldValue": "", + "o365.audit.ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "o365.audit.Operation": "Add app role assignment grant to user.", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 8, + "o365.audit.ResultStatus": "Success", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 + }, + { + "ID": "ServicePrincipal", + "Type": 2 + }, + { + "ID": "siem2", + "Type": 1 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 + }, + { + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/audit/test/11-dlp-sharepoint.log b/x-pack/filebeat/module/o365/audit/test/11-dlp-sharepoint.log new file mode 100644 index 000000000000..ee5223f953d9 --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/11-dlp-sharepoint.log @@ -0,0 +1,7 @@ +{"Workload": "OneDrive", "SensitiveInfoDetectionIsIncluded": false, "ObjectId": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", "OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "CreationTime": "2020-02-25T16:20:15", "UserType": 4, "Version": 1, "PolicyDetails": [{"Rules": [{"Severity": "Low", "RuleId": "c5981414-9f1f-4275-a2df-2fbfb1d03795", "ConditionsMatched": {"SensitiveInformation": [{"Count": 1, "Confidence": 75, "SensitiveType": "cb353f78-2b72-4c3c-8827-92ebe4f69fdf"}]}, "Actions": ["NotifyUser"], "RuleName": "Low volume of content detected U.S. Financial", "ActionParameters": [], "RuleMode": "Enable"}], "PolicyName": "U.S. Financial Data", "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec"}], "SharePointMetaData": {"From": "ASR@TESTSIEM2.ONMICROSOFT.COM", "FilePathUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx", "ItemLastModifiedTime": "2020-02-25T16:19:43", "ItemCreationTime": "2020-02-25T15:22:49", "FileName": "Customers Financial Data.docx", "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", "UniqueID": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", "FileOwner": "Alan Smithee", "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com"}, "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "Operation": "DLPRuleMatch", "IncidentId": "3066c3c5-eb56-dd03-b000-08d7ba115afd", "Id": "a21f13b9-22b6-405b-bf9e-a07ad8d456da", "RecordType": 11} +{"Workload": "OneDrive", "SensitiveInfoDetectionIsIncluded": false, "ObjectId": "856386d5-c9cd-46e9-b53b-fd01ed590b68", "OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "CreationTime": "2020-02-25T16:23:39", "UserType": 4, "Version": 1, "PolicyDetails": [{"Rules": [{"Severity": "High", "RuleId": "7503b92a-67c2-494b-8a46-57ef0d738886", "ConditionsMatched": {"SensitiveInformation": [{"Count": 12, "Confidence": 85, "SensitiveType": "50842eb7-edc8-4019-85dd-5a5c1f2bb085"}, {"Count": 1, "Confidence": 75, "SensitiveType": "cb353f78-2b72-4c3c-8827-92ebe4f69fdf"}]}, "Actions": ["BlockAccess", "NotifyUser", "GenerateIncidentReport"], "RuleName": "High volume of content detected U.S. Financial", "ActionParameters": ["GenerateIncidentReport:SiteAdmin"], "RuleMode": "Enable"}], "PolicyName": "U.S. Financial Data", "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec"}], "SharePointMetaData": {"From": "ASR@TESTSIEM2.ONMICROSOFT.COM", "FilePathUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx", "ItemLastModifiedTime": "2020-02-25T16:21:44", "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com", "ItemCreationTime": "2020-02-25T16:21:50", "FileName": "Customers Financial Data Copy.docx", "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", "UniqueID": "856386d5-c9cd-46e9-b53b-fd01ed590b68", "FileOwner": "Alan Smithee"}, "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "Operation": "DLPRuleMatch", "IncidentId": "eeeb7b44-fc69-c19f-b000-08d7ba115afd", "Id": "eb8259c8-d2c2-449d-bd35-5c8a033eb629", "RecordType": 11} +{"Workload": "OneDrive", "RecordType": 11, "ObjectId": "856386d5-c9cd-46e9-b53b-fd01ed590b68", "OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "CreationTime": "2020-02-25T16:23:39", "UserType": 4, "Version": 1, "PolicyDetails": [{"Rules": [{"Severity": "Low", "RuleId": "c5981414-9f1f-4275-a2df-2fbfb1d03795", "ConditionsMatched": {"SensitiveInformation": [{"Count": 12, "Confidence": 85, "SensitiveType": "50842eb7-edc8-4019-85dd-5a5c1f2bb085"}, {"Count": 1, "Confidence": 75, "SensitiveType": "cb353f78-2b72-4c3c-8827-92ebe4f69fdf"}]}, "Actions": ["NotifyUser"], "RuleName": "Low volume of content detected U.S. Financial", "ActionParameters": [], "RuleMode": "Enable"}], "PolicyName": "U.S. Financial Data", "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec"}], "SharePointMetaData": {"From": "ASR@TESTSIEM2.ONMICROSOFT.COM", "FilePathUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx", "ItemLastModifiedTime": "2020-02-25T16:21:44", "ItemCreationTime": "2020-02-25T16:21:50", "FileName": "Customers Financial Data Copy.docx", "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", "UniqueID": "856386d5-c9cd-46e9-b53b-fd01ed590b68", "FileOwner": "Alan Smithee", "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com"}, "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "Operation": "DLPRuleMatch", "IncidentId": "eeeb7b44-fc69-c19f-b000-08d7ba115afd", "Id": "50a90c83-7e15-4679-8778-d9dd30927e66", "SensitiveInfoDetectionIsIncluded": false} +{"Workload": "OneDrive", "RecordType": 11, "ObjectId": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", "OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", "CreationTime": "2020-02-25T16:22:22", "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "UserType": 4, "Version": 1, "PolicyDetails": [{"Rules": [{"Severity": "High", "RuleId": "7503b92a-67c2-494b-8a46-57ef0d738886", "ConditionsMatched": {"SensitiveInformation": [{"Count": 12, "Confidence": 85, "SensitiveType": "50842eb7-edc8-4019-85dd-5a5c1f2bb085"}, {"Count": 1, "Confidence": 75, "SensitiveType": "cb353f78-2b72-4c3c-8827-92ebe4f69fdf"}]}, "Actions": ["BlockAccess", "NotifyUser", "GenerateIncidentReport"], "RuleName": "High volume of content detected U.S. Financial", "ActionParameters": ["GenerateIncidentReport:SiteAdmin"], "RuleMode": "Enable"}], "PolicyName": "U.S. Financial Data", "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec"}], "SharePointMetaData": {"From": "ASR@TESTSIEM2.ONMICROSOFT.COM", "FilePathUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx", "ItemLastModifiedTime": "2020-02-25T16:21:44", "ItemCreationTime": "2020-02-25T15:22:49", "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com", "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", "UniqueID": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", "FileOwner": "Alan Smithee", "FileName": "Customers Financial Data.docx"}, "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "Operation": "DLPRuleMatch", "IncidentId": "3066c3c5-eb56-dd03-b000-08d7ba115afd", "Id": "59652f9a-087c-4b65-b88c-b293ade34202", "SensitiveInfoDetectionIsIncluded": false} +{"Workload": "OneDrive", "RecordType": 11, "ObjectId": "f026407b-090a-4c15-99b5-09851842d96d", "OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "CreationTime": "2020-02-26T10:13:48", "UserType": 4, "Version": 1, "PolicyDetails": [{"Rules": [{"Severity": "High", "RuleId": "bc4d376f-b038-4695-9362-609d32f963cf", "ConditionsMatched": {"SensitiveInformation": [{"Count": 42, "Confidence": 85, "SensitiveType": "50842eb7-edc8-4019-85dd-5a5c1f2bb085"}, {"Count": 23, "Confidence": 85, "SensitiveType": "0e9b3178-9678-47dd-a509-37222ca96b42"}]}, "Actions": ["BlockAccess", "NotifyUser", "GenerateIncidentReport"], "RuleName": "High volume of content detected France Financial", "ActionParameters": ["GenerateIncidentReport:SiteAdmin"], "RuleMode": "Enable"}], "PolicyName": "Financial Data Detection", "PolicyId": "08745d02-5d45-48bd-98e1-8199ab1efdbe"}], "SharePointMetaData": {"From": "ASR@TESTSIEM2.ONMICROSOFT.COM", "FilePathUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/INTERNAL%20CREDIT%20CARD%20NUMBERS.docx", "ItemLastModifiedTime": "2020-02-26T09:46:23", "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com", "ItemCreationTime": "2020-02-26T09:44:40", "FileName": "INTERNAL CREDIT CARD NUMBERS.docx", "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", "UniqueID": "f026407b-090a-4c15-99b5-09851842d96d", "FileOwner": "Alan Smithee"}, "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "Operation": "DLPRuleMatch", "IncidentId": "f7295114-e601-f2b6-8800-08d7baa56f8b", "Id": "d69c6758-f210-43bd-bac1-563adef4b4cf", "SensitiveInfoDetectionIsIncluded": false} +{"Workload": "SharePoint", "SensitiveInfoDetectionIsIncluded": false, "OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", "UserId": "DLPAgent", "CreationTime": "2020-02-26T12:39:40", "UserType": 4, "Version": 1, "PolicyDetails": [{"Rules": [{"Severity": "High", "RuleId": "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd", "RuleName": "Low volume of content detected France Financial", "Actions": ["NotifyUser", "GenerateAlert"], "ConditionsMatched": {"SensitiveInformation": [{"Count": 42, "Confidence": 85, "SensitiveType": "50842eb7-edc8-4019-85dd-5a5c1f2bb085"}, {"Count": 2, "Confidence": 85, "SensitiveType": "0e9b3178-9678-47dd-a509-37222ca96b42"}]}, "ActionParameters": ["GenerateAlert:asr@testsiem2.onmicrosoft.com"], "RuleMode": "Enable"}], "PolicyName": "Financial Data Detection", "PolicyId": "08745d02-5d45-48bd-98e1-8199ab1efdbe"}], "SharePointMetaData": {"From": "alice@testsiem2.onmicrosoft.com", "UniqueID": "3ace820e-9358-4520-9df6-5bd65602cef0", "FilePathUrl": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx", "ItemLastModifiedTime": "2020-02-26T09:56:12", "SiteCollectionUrl": "https://testsiem2.sharepoint.com/sites/Internalcommunications", "ItemCreationTime": "2020-02-26T09:55:38", "SiteCollectionGuid": "4aaa3319-df17-4ea0-a142-42cf204cfc62", "FileSize": 35920, "IsViewableByExternalUsers": false, "FileOwner": "alice@testsiem2.onmicrosoft.com", "FileName": "Document.docx"}, "UserKey": "DLPAgent", "Operation": "DLPRuleMatch", "IncidentId": "0ae82be2-e321-ab52-d000-08d7bab8fe55", "Id": "93585ace-96eb-4af1-fdb2-08d7bab8f2bd", "RecordType": 11} +{"Workload": "SharePoint", "SensitiveInfoDetectionIsIncluded": false, "OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", "UserId": "DLPAgent", "CreationTime": "2020-02-26T12:39:40", "UserType": 4, "Version": 1, "PolicyDetails": [{"Rules": [{"Severity": "High", "RuleId": "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd", "ConditionsMatched": {"SensitiveInformation": [{"Count": 42, "Confidence": 85, "SensitiveType": "50842eb7-edc8-4019-85dd-5a5c1f2bb085"}, {"Count": 2, "Confidence": 85, "SensitiveType": "0e9b3178-9678-47dd-a509-37222ca96b42"}]}, "Actions": ["NotifyUser", "GenerateAlert"], "RuleName": "Low volume of content detected France Financial", "ActionParameters": ["GenerateAlert:asr@testsiem2.onmicrosoft.com"], "RuleMode": "Enable"}], "PolicyName": "Financial Data Detection", "PolicyId": "08745d02-5d45-48bd-98e1-8199ab1efdbe"}], "SharePointMetaData": {"From": "alice@testsiem2.onmicrosoft.com", "IsViewableByExternalUsers": false, "FilePathUrl": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx", "ItemLastModifiedTime": "2020-02-26T09:56:12", "SiteCollectionUrl": "https://testsiem2.sharepoint.com/sites/Internalcommunications", "ItemCreationTime": "2020-02-26T09:55:38", "FileName": "Document.docx", "SiteCollectionGuid": "4aaa3319-df17-4ea0-a142-42cf204cfc62", "FileSize": 35920, "UniqueID": "3ace820e-9358-4520-9df6-5bd65602cef0", "FileOwner": "alice@testsiem2.onmicrosoft.com"}, "UserKey": "DLPAgent", "Operation": "DLPRuleMatch", "IncidentId": "0ae82be2-e321-ab52-d000-08d7bab8fe55", "Id": "93585ace-96eb-4af1-fdb2-08d7bab8f2bd", "RecordType": 11} diff --git a/x-pack/filebeat/module/o365/audit/test/11-dlp-sharepoint.log-expected.json b/x-pack/filebeat/module/o365/audit/test/11-dlp-sharepoint.log-expected.json new file mode 100644 index 000000000000..8d1e8e5a3287 --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/11-dlp-sharepoint.log-expected.json @@ -0,0 +1,626 @@ +[ + { + "@timestamp": "2020-02-25T16:20:15.000Z", + "event.action": "DLPRuleMatch", + "event.category": "file", + "event.code": "ComplianceDLPSharePoint", + "event.dataset": "o365.audit", + "event.id": "a21f13b9-22b6-405b-bf9e-a07ad8d456da", + "event.kind": "alert", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.severity": 2, + "event.type": "access", + "file.inode": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", + "file.name": "Customers Financial Data.docx", + "file.owner": "Alan Smithee", + "fileset.name": "audit", + "host.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "input.type": "log", + "log.offset": 0, + "o365.audit.CreationTime": "2020-02-25T16:20:15", + "o365.audit.Id": "a21f13b9-22b6-405b-bf9e-a07ad8d456da", + "o365.audit.IncidentId": "3066c3c5-eb56-dd03-b000-08d7ba115afd", + "o365.audit.ObjectId": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", + "o365.audit.Operation": "DLPRuleMatch", + "o365.audit.OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "o365.audit.PolicyDetails": [ + { + "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec", + "PolicyName": "U.S. Financial Data", + "Rules": [ + { + "ActionParameters": [], + "Actions": [ + "NotifyUser" + ], + "ConditionsMatched": { + "SensitiveInformation": [ + { + "Confidence": 75, + "Count": 1, + "SensitiveType": "cb353f78-2b72-4c3c-8827-92ebe4f69fdf" + } + ] + }, + "RuleId": "c5981414-9f1f-4275-a2df-2fbfb1d03795", + "RuleMode": "Enable", + "RuleName": "Low volume of content detected U.S. Financial", + "Severity": "Low" + } + ] + } + ], + "o365.audit.RecordType": 11, + "o365.audit.SensitiveInfoDetectionIsIncluded": false, + "o365.audit.SharePointMetaData.FileName": "Customers Financial Data.docx", + "o365.audit.SharePointMetaData.FileOwner": "Alan Smithee", + "o365.audit.SharePointMetaData.FilePathUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx", + "o365.audit.SharePointMetaData.From": "ASR@TESTSIEM2.ONMICROSOFT.COM", + "o365.audit.SharePointMetaData.ItemCreationTime": "2020-02-25T15:22:49", + "o365.audit.SharePointMetaData.ItemLastModifiedTime": "2020-02-25T16:19:43", + "o365.audit.SharePointMetaData.SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", + "o365.audit.SharePointMetaData.SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com", + "o365.audit.SharePointMetaData.UniqueID": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", + "o365.audit.UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", + "o365.audit.UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", + "o365.audit.UserType": 4, + "o365.audit.Version": 1, + "o365.audit.Workload": "OneDrive", + "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "related.user": [ + "ASR", + "Alan Smithee" + ], + "rule.id": "c5981414-9f1f-4275-a2df-2fbfb1d03795", + "rule.name": "Low volume of content detected U.S. Financial", + "service.type": "o365", + "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx", + "user.domain": "TESTSIEM2.ONMICROSOFT.COM", + "user.id": "ASR@TESTSIEM2.ONMICROSOFT.COM", + "user.name": "ASR" + }, + { + "@timestamp": "2020-02-25T16:23:39.000Z", + "event.action": "DLPRuleMatch", + "event.category": "file", + "event.code": "ComplianceDLPSharePoint", + "event.dataset": "o365.audit", + "event.id": "eb8259c8-d2c2-449d-bd35-5c8a033eb629", + "event.kind": "alert", + "event.module": "o365", + "event.outcome": "failure", + "event.provider": "OneDrive", + "event.severity": 4, + "event.type": "access", + "file.inode": "856386d5-c9cd-46e9-b53b-fd01ed590b68", + "file.name": "Customers Financial Data Copy.docx", + "file.owner": "Alan Smithee", + "fileset.name": "audit", + "host.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "input.type": "log", + "log.offset": 1559, + "o365.audit.CreationTime": "2020-02-25T16:23:39", + "o365.audit.Id": "eb8259c8-d2c2-449d-bd35-5c8a033eb629", + "o365.audit.IncidentId": "eeeb7b44-fc69-c19f-b000-08d7ba115afd", + "o365.audit.ObjectId": "856386d5-c9cd-46e9-b53b-fd01ed590b68", + "o365.audit.Operation": "DLPRuleMatch", + "o365.audit.OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "o365.audit.PolicyDetails": [ + { + "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec", + "PolicyName": "U.S. Financial Data", + "Rules": [ + { + "ActionParameters": [ + "GenerateIncidentReport:SiteAdmin" + ], + "Actions": [ + "BlockAccess", + "NotifyUser", + "GenerateIncidentReport" + ], + "ConditionsMatched": { + "SensitiveInformation": [ + { + "Confidence": 85, + "Count": 12, + "SensitiveType": "50842eb7-edc8-4019-85dd-5a5c1f2bb085" + }, + { + "Confidence": 75, + "Count": 1, + "SensitiveType": "cb353f78-2b72-4c3c-8827-92ebe4f69fdf" + } + ] + }, + "RuleId": "7503b92a-67c2-494b-8a46-57ef0d738886", + "RuleMode": "Enable", + "RuleName": "High volume of content detected U.S. Financial", + "Severity": "High" + } + ] + } + ], + "o365.audit.RecordType": 11, + "o365.audit.SensitiveInfoDetectionIsIncluded": false, + "o365.audit.SharePointMetaData.FileName": "Customers Financial Data Copy.docx", + "o365.audit.SharePointMetaData.FileOwner": "Alan Smithee", + "o365.audit.SharePointMetaData.FilePathUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx", + "o365.audit.SharePointMetaData.From": "ASR@TESTSIEM2.ONMICROSOFT.COM", + "o365.audit.SharePointMetaData.ItemCreationTime": "2020-02-25T16:21:50", + "o365.audit.SharePointMetaData.ItemLastModifiedTime": "2020-02-25T16:21:44", + "o365.audit.SharePointMetaData.SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", + "o365.audit.SharePointMetaData.SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com", + "o365.audit.SharePointMetaData.UniqueID": "856386d5-c9cd-46e9-b53b-fd01ed590b68", + "o365.audit.UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", + "o365.audit.UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", + "o365.audit.UserType": 4, + "o365.audit.Version": 1, + "o365.audit.Workload": "OneDrive", + "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "related.user": [ + "ASR", + "Alan Smithee" + ], + "rule.id": "7503b92a-67c2-494b-8a46-57ef0d738886", + "rule.name": "High volume of content detected U.S. Financial", + "service.type": "o365", + "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx", + "user.domain": "TESTSIEM2.ONMICROSOFT.COM", + "user.id": "ASR@TESTSIEM2.ONMICROSOFT.COM", + "user.name": "ASR" + }, + { + "@timestamp": "2020-02-25T16:23:39.000Z", + "event.action": "DLPRuleMatch", + "event.category": "file", + "event.code": "ComplianceDLPSharePoint", + "event.dataset": "o365.audit", + "event.id": "50a90c83-7e15-4679-8778-d9dd30927e66", + "event.kind": "alert", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.severity": 2, + "event.type": "access", + "file.inode": "856386d5-c9cd-46e9-b53b-fd01ed590b68", + "file.name": "Customers Financial Data Copy.docx", + "file.owner": "Alan Smithee", + "fileset.name": "audit", + "host.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "input.type": "log", + "log.offset": 3297, + "o365.audit.CreationTime": "2020-02-25T16:23:39", + "o365.audit.Id": "50a90c83-7e15-4679-8778-d9dd30927e66", + "o365.audit.IncidentId": "eeeb7b44-fc69-c19f-b000-08d7ba115afd", + "o365.audit.ObjectId": "856386d5-c9cd-46e9-b53b-fd01ed590b68", + "o365.audit.Operation": "DLPRuleMatch", + "o365.audit.OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "o365.audit.PolicyDetails": [ + { + "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec", + "PolicyName": "U.S. Financial Data", + "Rules": [ + { + "ActionParameters": [], + "Actions": [ + "NotifyUser" + ], + "ConditionsMatched": { + "SensitiveInformation": [ + { + "Confidence": 85, + "Count": 12, + "SensitiveType": "50842eb7-edc8-4019-85dd-5a5c1f2bb085" + }, + { + "Confidence": 75, + "Count": 1, + "SensitiveType": "cb353f78-2b72-4c3c-8827-92ebe4f69fdf" + } + ] + }, + "RuleId": "c5981414-9f1f-4275-a2df-2fbfb1d03795", + "RuleMode": "Enable", + "RuleName": "Low volume of content detected U.S. Financial", + "Severity": "Low" + } + ] + } + ], + "o365.audit.RecordType": 11, + "o365.audit.SensitiveInfoDetectionIsIncluded": false, + "o365.audit.SharePointMetaData.FileName": "Customers Financial Data Copy.docx", + "o365.audit.SharePointMetaData.FileOwner": "Alan Smithee", + "o365.audit.SharePointMetaData.FilePathUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx", + "o365.audit.SharePointMetaData.From": "ASR@TESTSIEM2.ONMICROSOFT.COM", + "o365.audit.SharePointMetaData.ItemCreationTime": "2020-02-25T16:21:50", + "o365.audit.SharePointMetaData.ItemLastModifiedTime": "2020-02-25T16:21:44", + "o365.audit.SharePointMetaData.SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", + "o365.audit.SharePointMetaData.SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com", + "o365.audit.SharePointMetaData.UniqueID": "856386d5-c9cd-46e9-b53b-fd01ed590b68", + "o365.audit.UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", + "o365.audit.UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", + "o365.audit.UserType": 4, + "o365.audit.Version": 1, + "o365.audit.Workload": "OneDrive", + "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "related.user": [ + "ASR", + "Alan Smithee" + ], + "rule.id": "c5981414-9f1f-4275-a2df-2fbfb1d03795", + "rule.name": "Low volume of content detected U.S. Financial", + "service.type": "o365", + "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx", + "user.domain": "TESTSIEM2.ONMICROSOFT.COM", + "user.id": "ASR@TESTSIEM2.ONMICROSOFT.COM", + "user.name": "ASR" + }, + { + "@timestamp": "2020-02-25T16:22:22.000Z", + "event.action": "DLPRuleMatch", + "event.category": "file", + "event.code": "ComplianceDLPSharePoint", + "event.dataset": "o365.audit", + "event.id": "59652f9a-087c-4b65-b88c-b293ade34202", + "event.kind": "alert", + "event.module": "o365", + "event.outcome": "failure", + "event.provider": "OneDrive", + "event.severity": 4, + "event.type": "access", + "file.inode": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", + "file.name": "Customers Financial Data.docx", + "file.owner": "Alan Smithee", + "fileset.name": "audit", + "host.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "input.type": "log", + "log.offset": 4958, + "o365.audit.CreationTime": "2020-02-25T16:22:22", + "o365.audit.Id": "59652f9a-087c-4b65-b88c-b293ade34202", + "o365.audit.IncidentId": "3066c3c5-eb56-dd03-b000-08d7ba115afd", + "o365.audit.ObjectId": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", + "o365.audit.Operation": "DLPRuleMatch", + "o365.audit.OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "o365.audit.PolicyDetails": [ + { + "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec", + "PolicyName": "U.S. Financial Data", + "Rules": [ + { + "ActionParameters": [ + "GenerateIncidentReport:SiteAdmin" + ], + "Actions": [ + "BlockAccess", + "NotifyUser", + "GenerateIncidentReport" + ], + "ConditionsMatched": { + "SensitiveInformation": [ + { + "Confidence": 85, + "Count": 12, + "SensitiveType": "50842eb7-edc8-4019-85dd-5a5c1f2bb085" + }, + { + "Confidence": 75, + "Count": 1, + "SensitiveType": "cb353f78-2b72-4c3c-8827-92ebe4f69fdf" + } + ] + }, + "RuleId": "7503b92a-67c2-494b-8a46-57ef0d738886", + "RuleMode": "Enable", + "RuleName": "High volume of content detected U.S. Financial", + "Severity": "High" + } + ] + } + ], + "o365.audit.RecordType": 11, + "o365.audit.SensitiveInfoDetectionIsIncluded": false, + "o365.audit.SharePointMetaData.FileName": "Customers Financial Data.docx", + "o365.audit.SharePointMetaData.FileOwner": "Alan Smithee", + "o365.audit.SharePointMetaData.FilePathUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx", + "o365.audit.SharePointMetaData.From": "ASR@TESTSIEM2.ONMICROSOFT.COM", + "o365.audit.SharePointMetaData.ItemCreationTime": "2020-02-25T15:22:49", + "o365.audit.SharePointMetaData.ItemLastModifiedTime": "2020-02-25T16:21:44", + "o365.audit.SharePointMetaData.SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", + "o365.audit.SharePointMetaData.SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com", + "o365.audit.SharePointMetaData.UniqueID": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", + "o365.audit.UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", + "o365.audit.UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", + "o365.audit.UserType": 4, + "o365.audit.Version": 1, + "o365.audit.Workload": "OneDrive", + "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "related.user": [ + "ASR", + "Alan Smithee" + ], + "rule.id": "7503b92a-67c2-494b-8a46-57ef0d738886", + "rule.name": "High volume of content detected U.S. Financial", + "service.type": "o365", + "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx", + "user.domain": "TESTSIEM2.ONMICROSOFT.COM", + "user.id": "ASR@TESTSIEM2.ONMICROSOFT.COM", + "user.name": "ASR" + }, + { + "@timestamp": "2020-02-26T10:13:48.000Z", + "event.action": "DLPRuleMatch", + "event.category": "file", + "event.code": "ComplianceDLPSharePoint", + "event.dataset": "o365.audit", + "event.id": "d69c6758-f210-43bd-bac1-563adef4b4cf", + "event.kind": "alert", + "event.module": "o365", + "event.outcome": "failure", + "event.provider": "OneDrive", + "event.severity": 4, + "event.type": "access", + "file.inode": "f026407b-090a-4c15-99b5-09851842d96d", + "file.name": "INTERNAL CREDIT CARD NUMBERS.docx", + "file.owner": "Alan Smithee", + "fileset.name": "audit", + "host.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "input.type": "log", + "log.offset": 6684, + "o365.audit.CreationTime": "2020-02-26T10:13:48", + "o365.audit.Id": "d69c6758-f210-43bd-bac1-563adef4b4cf", + "o365.audit.IncidentId": "f7295114-e601-f2b6-8800-08d7baa56f8b", + "o365.audit.ObjectId": "f026407b-090a-4c15-99b5-09851842d96d", + "o365.audit.Operation": "DLPRuleMatch", + "o365.audit.OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "o365.audit.PolicyDetails": [ + { + "PolicyId": "08745d02-5d45-48bd-98e1-8199ab1efdbe", + "PolicyName": "Financial Data Detection", + "Rules": [ + { + "ActionParameters": [ + "GenerateIncidentReport:SiteAdmin" + ], + "Actions": [ + "BlockAccess", + "NotifyUser", + "GenerateIncidentReport" + ], + "ConditionsMatched": { + "SensitiveInformation": [ + { + "Confidence": 85, + "Count": 42, + "SensitiveType": "50842eb7-edc8-4019-85dd-5a5c1f2bb085" + }, + { + "Confidence": 85, + "Count": 23, + "SensitiveType": "0e9b3178-9678-47dd-a509-37222ca96b42" + } + ] + }, + "RuleId": "bc4d376f-b038-4695-9362-609d32f963cf", + "RuleMode": "Enable", + "RuleName": "High volume of content detected France Financial", + "Severity": "High" + } + ] + } + ], + "o365.audit.RecordType": 11, + "o365.audit.SensitiveInfoDetectionIsIncluded": false, + "o365.audit.SharePointMetaData.FileName": "INTERNAL CREDIT CARD NUMBERS.docx", + "o365.audit.SharePointMetaData.FileOwner": "Alan Smithee", + "o365.audit.SharePointMetaData.FilePathUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/INTERNAL%20CREDIT%20CARD%20NUMBERS.docx", + "o365.audit.SharePointMetaData.From": "ASR@TESTSIEM2.ONMICROSOFT.COM", + "o365.audit.SharePointMetaData.ItemCreationTime": "2020-02-26T09:44:40", + "o365.audit.SharePointMetaData.ItemLastModifiedTime": "2020-02-26T09:46:23", + "o365.audit.SharePointMetaData.SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", + "o365.audit.SharePointMetaData.SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com", + "o365.audit.SharePointMetaData.UniqueID": "f026407b-090a-4c15-99b5-09851842d96d", + "o365.audit.UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", + "o365.audit.UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", + "o365.audit.UserType": 4, + "o365.audit.Version": 1, + "o365.audit.Workload": "OneDrive", + "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "related.user": [ + "ASR", + "Alan Smithee" + ], + "rule.id": "bc4d376f-b038-4695-9362-609d32f963cf", + "rule.name": "High volume of content detected France Financial", + "service.type": "o365", + "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/INTERNAL%20CREDIT%20CARD%20NUMBERS.docx", + "user.domain": "TESTSIEM2.ONMICROSOFT.COM", + "user.id": "ASR@TESTSIEM2.ONMICROSOFT.COM", + "user.name": "ASR" + }, + { + "@timestamp": "2020-02-26T12:39:40.000Z", + "event.action": "DLPRuleMatch", + "event.category": "file", + "event.code": "ComplianceDLPSharePoint", + "event.dataset": "o365.audit", + "event.id": "93585ace-96eb-4af1-fdb2-08d7bab8f2bd", + "event.kind": "alert", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.severity": 4, + "event.type": "access", + "file.inode": "3ace820e-9358-4520-9df6-5bd65602cef0", + "file.name": "Document.docx", + "file.owner": "alice@testsiem2.onmicrosoft.com", + "fileset.name": "audit", + "host.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "input.type": "log", + "log.offset": 8428, + "o365.audit.CreationTime": "2020-02-26T12:39:40", + "o365.audit.Id": "93585ace-96eb-4af1-fdb2-08d7bab8f2bd", + "o365.audit.IncidentId": "0ae82be2-e321-ab52-d000-08d7bab8fe55", + "o365.audit.Operation": "DLPRuleMatch", + "o365.audit.OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "o365.audit.PolicyDetails": [ + { + "PolicyId": "08745d02-5d45-48bd-98e1-8199ab1efdbe", + "PolicyName": "Financial Data Detection", + "Rules": [ + { + "ActionParameters": [ + "GenerateAlert:asr@testsiem2.onmicrosoft.com" + ], + "Actions": [ + "NotifyUser", + "GenerateAlert" + ], + "ConditionsMatched": { + "SensitiveInformation": [ + { + "Confidence": 85, + "Count": 42, + "SensitiveType": "50842eb7-edc8-4019-85dd-5a5c1f2bb085" + }, + { + "Confidence": 85, + "Count": 2, + "SensitiveType": "0e9b3178-9678-47dd-a509-37222ca96b42" + } + ] + }, + "RuleId": "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd", + "RuleMode": "Enable", + "RuleName": "Low volume of content detected France Financial", + "Severity": "High" + } + ] + } + ], + "o365.audit.RecordType": 11, + "o365.audit.SensitiveInfoDetectionIsIncluded": false, + "o365.audit.SharePointMetaData.FileName": "Document.docx", + "o365.audit.SharePointMetaData.FileOwner": "alice@testsiem2.onmicrosoft.com", + "o365.audit.SharePointMetaData.FilePathUrl": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx", + "o365.audit.SharePointMetaData.FileSize": 35920, + "o365.audit.SharePointMetaData.From": "alice@testsiem2.onmicrosoft.com", + "o365.audit.SharePointMetaData.IsViewableByExternalUsers": false, + "o365.audit.SharePointMetaData.ItemCreationTime": "2020-02-26T09:55:38", + "o365.audit.SharePointMetaData.ItemLastModifiedTime": "2020-02-26T09:56:12", + "o365.audit.SharePointMetaData.SiteCollectionGuid": "4aaa3319-df17-4ea0-a142-42cf204cfc62", + "o365.audit.SharePointMetaData.SiteCollectionUrl": "https://testsiem2.sharepoint.com/sites/Internalcommunications", + "o365.audit.SharePointMetaData.UniqueID": "3ace820e-9358-4520-9df6-5bd65602cef0", + "o365.audit.UserId": "DLPAgent", + "o365.audit.UserKey": "DLPAgent", + "o365.audit.UserType": 4, + "o365.audit.Version": 1, + "o365.audit.Workload": "SharePoint", + "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "related.user": [ + "alice", + "alice@testsiem2.onmicrosoft.com" + ], + "rule.id": "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd", + "rule.name": "Low volume of content detected France Financial", + "service.type": "o365", + "url.original": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx", + "user.domain": "testsiem2.onmicrosoft.com", + "user.id": "alice@testsiem2.onmicrosoft.com", + "user.name": "alice" + }, + { + "@timestamp": "2020-02-26T12:39:40.000Z", + "event.action": "DLPRuleMatch", + "event.category": "file", + "event.code": "ComplianceDLPSharePoint", + "event.dataset": "o365.audit", + "event.id": "93585ace-96eb-4af1-fdb2-08d7bab8f2bd", + "event.kind": "alert", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.severity": 4, + "event.type": "access", + "file.inode": "3ace820e-9358-4520-9df6-5bd65602cef0", + "file.name": "Document.docx", + "file.owner": "alice@testsiem2.onmicrosoft.com", + "fileset.name": "audit", + "host.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "input.type": "log", + "log.offset": 10042, + "o365.audit.CreationTime": "2020-02-26T12:39:40", + "o365.audit.Id": "93585ace-96eb-4af1-fdb2-08d7bab8f2bd", + "o365.audit.IncidentId": "0ae82be2-e321-ab52-d000-08d7bab8fe55", + "o365.audit.Operation": "DLPRuleMatch", + "o365.audit.OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "o365.audit.PolicyDetails": [ + { + "PolicyId": "08745d02-5d45-48bd-98e1-8199ab1efdbe", + "PolicyName": "Financial Data Detection", + "Rules": [ + { + "ActionParameters": [ + "GenerateAlert:asr@testsiem2.onmicrosoft.com" + ], + "Actions": [ + "NotifyUser", + "GenerateAlert" + ], + "ConditionsMatched": { + "SensitiveInformation": [ + { + "Confidence": 85, + "Count": 42, + "SensitiveType": "50842eb7-edc8-4019-85dd-5a5c1f2bb085" + }, + { + "Confidence": 85, + "Count": 2, + "SensitiveType": "0e9b3178-9678-47dd-a509-37222ca96b42" + } + ] + }, + "RuleId": "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd", + "RuleMode": "Enable", + "RuleName": "Low volume of content detected France Financial", + "Severity": "High" + } + ] + } + ], + "o365.audit.RecordType": 11, + "o365.audit.SensitiveInfoDetectionIsIncluded": false, + "o365.audit.SharePointMetaData.FileName": "Document.docx", + "o365.audit.SharePointMetaData.FileOwner": "alice@testsiem2.onmicrosoft.com", + "o365.audit.SharePointMetaData.FilePathUrl": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx", + "o365.audit.SharePointMetaData.FileSize": 35920, + "o365.audit.SharePointMetaData.From": "alice@testsiem2.onmicrosoft.com", + "o365.audit.SharePointMetaData.IsViewableByExternalUsers": false, + "o365.audit.SharePointMetaData.ItemCreationTime": "2020-02-26T09:55:38", + "o365.audit.SharePointMetaData.ItemLastModifiedTime": "2020-02-26T09:56:12", + "o365.audit.SharePointMetaData.SiteCollectionGuid": "4aaa3319-df17-4ea0-a142-42cf204cfc62", + "o365.audit.SharePointMetaData.SiteCollectionUrl": "https://testsiem2.sharepoint.com/sites/Internalcommunications", + "o365.audit.SharePointMetaData.UniqueID": "3ace820e-9358-4520-9df6-5bd65602cef0", + "o365.audit.UserId": "DLPAgent", + "o365.audit.UserKey": "DLPAgent", + "o365.audit.UserType": 4, + "o365.audit.Version": 1, + "o365.audit.Workload": "SharePoint", + "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "related.user": [ + "alice", + "alice@testsiem2.onmicrosoft.com" + ], + "rule.id": "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd", + "rule.name": "Low volume of content detected France Financial", + "service.type": "o365", + "url.original": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx", + "user.domain": "testsiem2.onmicrosoft.com", + "user.id": "alice@testsiem2.onmicrosoft.com", + "user.name": "alice" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log b/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log new file mode 100644 index 000000000000..8d0622d352f0 --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log @@ -0,0 +1,6 @@ +{"Workload":"Exchange","SensitiveInfoDetectionIsIncluded":false,"ObjectId":"","OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","CreationTime":"2020-02-24T20:11:15","UserId":"DlpAgent","UserType":4,"Version":1,"PolicyDetails":[{"Rules":[{"Severity":"High","RuleId":"51e3d97a-e159-4645-9092-608bd24e083a","ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"Actions":["BlockAccess","NotifyUser","GenerateIncidentReport"],"RuleName":"High volume of content detected test","ActionParameters":["GenerateIncidentReport:asr@testsiem2.onmicrosoft.com"],"RuleMode":"Enable"},{"Severity":"Medium","RuleId":"51e3d97a-1234-4645-9092-608bd24e083a","ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"Actions":["BlockAccess","NotifyUser","GenerateIncidentReport"],"RuleName":"Mid volume of content detected test","ActionParameters":["GenerateIncidentReport:asr@testsiem2.onmicrosoft.com"],"RuleMode":"Enable"}],"PolicyName":"test","PolicyId":"88956b36-45b3-4828-bf53-78603c0e5f58"}],"ExchangeMetaData":{"From":"asr@testsiem2.onmicrosoft.com","CC":["asr@example.net"],"BCC":[],"To":["asr@example.org"],"FileSize":13405,"UniqueID":"8e103f2f-b293-4062-38b8-08d7b965b2fa","MessageID":"","RecipientCount":2,"Sent":"2020-02-24T20:11:14","Subject":"Here's the phony data"},"UserKey":"1153801116545789462","Operation":"DlpRuleMatch","IncidentId":"c1dc582b-fa61-6020-1800-08d7b966ec64","Id":"d5a0e7d9-e06f-498c-8413-eb83b7dbd516","RecordType":13} +{"Workload":"Exchange","SensitiveInfoDetectionIsIncluded":false,"ObjectId":"","OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","CreationTime":"2020-02-24T20:11:15","UserId":"DlpAgent","UserType":4,"Version":1,"PolicyDetails":[{"Rules":[{"Severity":"High","RuleId":"51e3d97a-e159-4645-9092-608bd24e083a","ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"Actions":["BlockAccess","NotifyUser","GenerateIncidentReport"],"RuleName":"High volume of content detected test","ActionParameters":["GenerateIncidentReport:asr@testsiem2.onmicrosoft.com"],"RuleMode":"Enable"},{"Severity":"Medium","RuleId":"51e3d97a-1234-4645-9092-608bd24e083a","ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"Actions":["BlockAccess","NotifyUser","GenerateIncidentReport"],"RuleName":"Mid volume of content detected test","ActionParameters":["GenerateIncidentReport:asr@testsiem2.onmicrosoft.com"],"RuleMode":"Enable"}],"PolicyName":"test","PolicyId":"88956b36-45b3-4828-bf53-78603c0e5f58"}],"ExchangeMetaData":{"From":"asr@testsiem2.onmicrosoft.com","CC":["asr@example.net"],"BCC":[],"To":["asr@example.org"],"FileSize":13405,"UniqueID":"8e103f2f-b293-4062-38b8-08d7b965b2fa","MessageID":"","RecipientCount":2,"Sent":"2020-02-24T20:11:14","Subject":"Here's the phony data"},"UserKey":"1153801116545789462","Operation":"DlpRuleUndo","IncidentId":"c1dc582b-fa61-6020-1800-08d7b966ec64","Id":"d5a0e7d9-e06f-498c-8413-eb83b7dbd516","RecordType":13} +{"Workload":"Exchange","SensitiveInfoDetectionIsIncluded":false,"ObjectId":"","OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","CreationTime":"2020-02-24T20:11:15","UserId":"DlpAgent","UserType":4,"Version":1,"ExceptionInfo":"{ \"Justification\": \"I really need to share those files\" }","PolicyDetails":[{"Rules":[{"Severity":"High","RuleId":"51e3d97a-e159-4645-9092-608bd24e083a","ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"Actions":["BlockAccess","NotifyUser","GenerateIncidentReport"],"RuleName":"High volume of content detected test","ActionParameters":["GenerateIncidentReport:asr@testsiem2.onmicrosoft.com"],"RuleMode":"Enable"},{"Severity":"Medium","RuleId":"51e3d97a-1234-4645-9092-608bd24e083a","ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"Actions":["BlockAccess","NotifyUser","GenerateIncidentReport"],"RuleName":"Mid volume of content detected test","ActionParameters":["GenerateIncidentReport:asr@testsiem2.onmicrosoft.com"],"RuleMode":"Enable"}],"PolicyName":"test","PolicyId":"88956b36-45b3-4828-bf53-78603c0e5f58"}],"ExchangeMetaData":{"From":"asr@testsiem2.onmicrosoft.com","CC":["asr@example.net"],"BCC":[],"To":["asr@example.org"],"FileSize":13405,"UniqueID":"8e103f2f-b293-4062-38b8-08d7b965b2fa","MessageID":"","RecipientCount":2,"Sent":"2020-02-24T20:11:14","Subject":"Here's the phony data"},"UserKey":"1153801116545789462","Operation":"DlpRuleMatch","IncidentId":"c1dc582b-fa61-6020-1800-08d7b966ec64","Id":"d5a0e7d9-e06f-498c-8413-eb83b7dbd516","RecordType":13} +{"Workload":"Exchange","SensitiveInfoDetectionIsIncluded":false,"ObjectId":"","OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","CreationTime":"2020-02-24T20:11:15","UserId":"DlpAgent","UserType":4,"Version":1,"ExceptionInfo":{ "FalsePositive": true },"PolicyDetails":[{"Rules":[{"Severity":"High","RuleId":"51e3d97a-e159-4645-9092-608bd24e083a","ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"Actions":["BlockAccess","NotifyUser","GenerateIncidentReport"],"RuleName":"High volume of content detected test","ActionParameters":["GenerateIncidentReport:asr@testsiem2.onmicrosoft.com"],"RuleMode":"Enable"},{"Severity":"Medium","RuleId":"51e3d97a-1234-4645-9092-608bd24e083a","ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"Actions":["BlockAccess","NotifyUser","GenerateIncidentReport"],"RuleName":"Mid volume of content detected test","ActionParameters":["GenerateIncidentReport:asr@testsiem2.onmicrosoft.com"],"RuleMode":"Enable"}],"PolicyName":"test","PolicyId":"88956b36-45b3-4828-bf53-78603c0e5f58"}],"ExchangeMetaData":{"From":"asr@testsiem2.onmicrosoft.com","CC":["asr@example.net"],"BCC":[],"To":["asr@example.org"],"FileSize":13405,"UniqueID":"8e103f2f-b293-4062-38b8-08d7b965b2fa","MessageID":"","RecipientCount":2,"Sent":"2020-02-24T20:11:14","Subject":"Here's the phony data"},"UserKey":"1153801116545789462","Operation":"DlpRuleMatch","IncidentId":"c1dc582b-fa61-6020-1800-08d7b966ec64","Id":"d5a0e7d9-e06f-498c-8413-eb83b7dbd516","RecordType":13} +{"Workload":"Exchange","SensitiveInfoDetectionIsIncluded":false,"ObjectId":"","OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","UserId":"DlpAgent","CreationTime":"2020-02-24T20:11:15","UserType":4,"Version":1,"PolicyDetails":[{"Rules":[{"Severity":"Low","RuleId":"8398c03a-a00d-42bb-8f80-ead0ad04e1df","RuleName":"Low volume of content detected test","Actions":["NotifyUser"],"ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"RuleMode":"Enable"}],"PolicyName":"test","PolicyId":"88956b36-45b3-4828-bf53-78603c0e5f58"}],"ExchangeMetaData":{"From":"asr@testsiem2.onmicrosoft.com","CC":["asr@example.net"],"BCC":[],"To":["asr@example.org"],"FileSize":13310,"UniqueID":"8e103f2f-b293-4062-38b8-08d7b965b2fa","MessageID":"","RecipientCount":2,"Sent":"2020-02-24T20:11:14","Subject":"Here's the phony data"},"UserKey":"1153801116545789462","Operation":"DlpRuleMatch","IncidentId":"c1dc582b-fa61-6020-1800-08d7b966ec64","Id":"a42123a9-1c07-4dde-9be6-ac71cb9fd16b","RecordType":13} +{"Workload":"Exchange","SensitiveInfoDetectionIsIncluded":false,"ObjectId":"","OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","UserId":"DlpAgent","CreationTime":"2020-02-24T20:11:15","UserType":4,"Version":1,"PolicyDetails":[{"Rules":[{"Severity":"Low","RuleId":"8398c03a-a00d-42bb-8f80-ead0ad04e1df","RuleName":"Low volume of content detected test","Actions":["NotifyUser"],"ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"RuleMode":"Enable"}],"PolicyName":"test","PolicyId":"88956b36-45b3-4828-bf53-78603c0e5f58"}],"SharePointMetaData":{"From":"alice@testsiem2.onmicrosoft.com","itemCreationTime":"2020-02-20T11:23:45","UniqueID":"8e103f2f-b293-4062-38b8-08d7b965b2fa","FileName":"Company-Internal-Financial.docx","FileOwner":"alice@testsiem2.onmicrosoft.com","FilePathUrl":"https://example.net/testsiem2.onmicrosoft.com/sharepoint","LastModifiedTime":"2020-02-24T12:13:14Z"},"UserKey":"1153801116545789462","Operation":"DlpRuleMatch","IncidentId":"c1dc582b-fa61-6020-1800-08d7b966ec64","Id":"a42123a9-1c07-4dde-9be6-ac71cb9fd16b","RecordType":13} diff --git a/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log-expected.json b/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log-expected.json new file mode 100644 index 000000000000..2a245f64168c --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log-expected.json @@ -0,0 +1,780 @@ +[ + { + "@timestamp": "2020-02-24T20:11:15.000Z", + "destination.user.email": [ + "asr@example.org", + "asr@example.net" + ], + "event.action": "DlpRuleMatch", + "event.category": "file", + "event.code": "ComplianceDLPExchange", + "event.dataset": "o365.audit", + "event.id": "d5a0e7d9-e06f-498c-8413-eb83b7dbd516", + "event.kind": "alert", + "event.module": "o365", + "event.outcome": "failure", + "event.provider": "Exchange", + "event.severity": 4, + "event.type": "access", + "fileset.name": "audit", + "host.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "input.type": "log", + "log.offset": 0, + "message": "Here's the phony data", + "o365.audit.CreationTime": "2020-02-24T20:11:15", + "o365.audit.ExchangeMetaData.BCC": [], + "o365.audit.ExchangeMetaData.CC": [ + "asr@example.net" + ], + "o365.audit.ExchangeMetaData.FileSize": 13405, + "o365.audit.ExchangeMetaData.From": "asr@testsiem2.onmicrosoft.com", + "o365.audit.ExchangeMetaData.MessageID": "", + "o365.audit.ExchangeMetaData.RecipientCount": 2, + "o365.audit.ExchangeMetaData.Sent": "2020-02-24T20:11:14", + "o365.audit.ExchangeMetaData.Subject": "Here's the phony data", + "o365.audit.ExchangeMetaData.To": [ + "asr@example.org" + ], + "o365.audit.ExchangeMetaData.UniqueID": "8e103f2f-b293-4062-38b8-08d7b965b2fa", + "o365.audit.Id": "d5a0e7d9-e06f-498c-8413-eb83b7dbd516", + "o365.audit.IncidentId": "c1dc582b-fa61-6020-1800-08d7b966ec64", + "o365.audit.ObjectId": "", + "o365.audit.Operation": "DlpRuleMatch", + "o365.audit.OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "o365.audit.PolicyDetails": [ + { + "PolicyId": "88956b36-45b3-4828-bf53-78603c0e5f58", + "PolicyName": "test", + "Rules": [ + { + "ActionParameters": [ + "GenerateIncidentReport:asr@testsiem2.onmicrosoft.com" + ], + "Actions": [ + "BlockAccess", + "NotifyUser", + "GenerateIncidentReport" + ], + "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], + "SensitiveInformation": [ + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 + }, + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 + } + ] + }, + "RuleId": "51e3d97a-e159-4645-9092-608bd24e083a", + "RuleMode": "Enable", + "RuleName": "High volume of content detected test", + "Severity": "High" + }, + { + "ActionParameters": [ + "GenerateIncidentReport:asr@testsiem2.onmicrosoft.com" + ], + "Actions": [ + "BlockAccess", + "NotifyUser", + "GenerateIncidentReport" + ], + "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], + "SensitiveInformation": [ + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 + }, + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 + } + ] + }, + "RuleId": "51e3d97a-1234-4645-9092-608bd24e083a", + "RuleMode": "Enable", + "RuleName": "Mid volume of content detected test", + "Severity": "Medium" + } + ] + } + ], + "o365.audit.RecordType": 13, + "o365.audit.SensitiveInfoDetectionIsIncluded": false, + "o365.audit.UserId": "DlpAgent", + "o365.audit.UserKey": "1153801116545789462", + "o365.audit.UserType": 4, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "rule.id": [ + "51e3d97a-e159-4645-9092-608bd24e083a", + "51e3d97a-1234-4645-9092-608bd24e083a" + ], + "rule.name": [ + "High volume of content detected test", + "Mid volume of content detected test" + ], + "service.type": "o365", + "source.user.email": "asr@testsiem2.onmicrosoft.com", + "user.id": "DlpAgent" + }, + { + "@timestamp": "2020-02-24T20:11:15.000Z", + "destination.user.email": [ + "asr@example.org", + "asr@example.net" + ], + "event.action": "DlpRuleUndo", + "event.category": "file", + "event.code": "ComplianceDLPExchange", + "event.dataset": "o365.audit", + "event.id": "d5a0e7d9-e06f-498c-8413-eb83b7dbd516", + "event.kind": "alert", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.severity": 4, + "event.type": "access", + "fileset.name": "audit", + "host.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "input.type": "log", + "log.offset": 2230, + "message": "Here's the phony data", + "o365.audit.CreationTime": "2020-02-24T20:11:15", + "o365.audit.ExchangeMetaData.BCC": [], + "o365.audit.ExchangeMetaData.CC": [ + "asr@example.net" + ], + "o365.audit.ExchangeMetaData.FileSize": 13405, + "o365.audit.ExchangeMetaData.From": "asr@testsiem2.onmicrosoft.com", + "o365.audit.ExchangeMetaData.MessageID": "", + "o365.audit.ExchangeMetaData.RecipientCount": 2, + "o365.audit.ExchangeMetaData.Sent": "2020-02-24T20:11:14", + "o365.audit.ExchangeMetaData.Subject": "Here's the phony data", + "o365.audit.ExchangeMetaData.To": [ + "asr@example.org" + ], + "o365.audit.ExchangeMetaData.UniqueID": "8e103f2f-b293-4062-38b8-08d7b965b2fa", + "o365.audit.Id": "d5a0e7d9-e06f-498c-8413-eb83b7dbd516", + "o365.audit.IncidentId": "c1dc582b-fa61-6020-1800-08d7b966ec64", + "o365.audit.ObjectId": "", + "o365.audit.Operation": "DlpRuleUndo", + "o365.audit.OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "o365.audit.PolicyDetails": [ + { + "PolicyId": "88956b36-45b3-4828-bf53-78603c0e5f58", + "PolicyName": "test", + "Rules": [ + { + "ActionParameters": [ + "GenerateIncidentReport:asr@testsiem2.onmicrosoft.com" + ], + "Actions": [ + "BlockAccess", + "NotifyUser", + "GenerateIncidentReport" + ], + "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], + "SensitiveInformation": [ + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 + }, + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 + } + ] + }, + "RuleId": "51e3d97a-e159-4645-9092-608bd24e083a", + "RuleMode": "Enable", + "RuleName": "High volume of content detected test", + "Severity": "High" + }, + { + "ActionParameters": [ + "GenerateIncidentReport:asr@testsiem2.onmicrosoft.com" + ], + "Actions": [ + "BlockAccess", + "NotifyUser", + "GenerateIncidentReport" + ], + "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], + "SensitiveInformation": [ + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 + }, + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 + } + ] + }, + "RuleId": "51e3d97a-1234-4645-9092-608bd24e083a", + "RuleMode": "Enable", + "RuleName": "Mid volume of content detected test", + "Severity": "Medium" + } + ] + } + ], + "o365.audit.RecordType": 13, + "o365.audit.SensitiveInfoDetectionIsIncluded": false, + "o365.audit.UserId": "DlpAgent", + "o365.audit.UserKey": "1153801116545789462", + "o365.audit.UserType": 4, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "rule.id": [ + "51e3d97a-e159-4645-9092-608bd24e083a", + "51e3d97a-1234-4645-9092-608bd24e083a" + ], + "rule.name": [ + "High volume of content detected test", + "Mid volume of content detected test" + ], + "service.type": "o365", + "source.user.email": "asr@testsiem2.onmicrosoft.com", + "user.id": "DlpAgent" + }, + { + "@timestamp": "2020-02-24T20:11:15.000Z", + "destination.user.email": [ + "asr@example.org", + "asr@example.net" + ], + "event.action": "DlpRuleMatch", + "event.category": "file", + "event.code": "ComplianceDLPExchange", + "event.dataset": "o365.audit", + "event.id": "d5a0e7d9-e06f-498c-8413-eb83b7dbd516", + "event.kind": "alert", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.severity": 4, + "event.type": "access", + "fileset.name": "audit", + "host.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "input.type": "log", + "log.offset": 4459, + "message": "Here's the phony data", + "o365.audit.CreationTime": "2020-02-24T20:11:15", + "o365.audit.ExceptionInfo.Reason": "{ \"Justification\": \"I really need to share those files\" }", + "o365.audit.ExchangeMetaData.BCC": [], + "o365.audit.ExchangeMetaData.CC": [ + "asr@example.net" + ], + "o365.audit.ExchangeMetaData.FileSize": 13405, + "o365.audit.ExchangeMetaData.From": "asr@testsiem2.onmicrosoft.com", + "o365.audit.ExchangeMetaData.MessageID": "", + "o365.audit.ExchangeMetaData.RecipientCount": 2, + "o365.audit.ExchangeMetaData.Sent": "2020-02-24T20:11:14", + "o365.audit.ExchangeMetaData.Subject": "Here's the phony data", + "o365.audit.ExchangeMetaData.To": [ + "asr@example.org" + ], + "o365.audit.ExchangeMetaData.UniqueID": "8e103f2f-b293-4062-38b8-08d7b965b2fa", + "o365.audit.Id": "d5a0e7d9-e06f-498c-8413-eb83b7dbd516", + "o365.audit.IncidentId": "c1dc582b-fa61-6020-1800-08d7b966ec64", + "o365.audit.ObjectId": "", + "o365.audit.Operation": "DlpRuleMatch", + "o365.audit.OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "o365.audit.PolicyDetails": [ + { + "PolicyId": "88956b36-45b3-4828-bf53-78603c0e5f58", + "PolicyName": "test", + "Rules": [ + { + "ActionParameters": [ + "GenerateIncidentReport:asr@testsiem2.onmicrosoft.com" + ], + "Actions": [ + "BlockAccess", + "NotifyUser", + "GenerateIncidentReport" + ], + "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], + "SensitiveInformation": [ + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 + }, + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 + } + ] + }, + "RuleId": "51e3d97a-e159-4645-9092-608bd24e083a", + "RuleMode": "Enable", + "RuleName": "High volume of content detected test", + "Severity": "High" + }, + { + "ActionParameters": [ + "GenerateIncidentReport:asr@testsiem2.onmicrosoft.com" + ], + "Actions": [ + "BlockAccess", + "NotifyUser", + "GenerateIncidentReport" + ], + "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], + "SensitiveInformation": [ + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 + }, + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 + } + ] + }, + "RuleId": "51e3d97a-1234-4645-9092-608bd24e083a", + "RuleMode": "Enable", + "RuleName": "Mid volume of content detected test", + "Severity": "Medium" + } + ] + } + ], + "o365.audit.RecordType": 13, + "o365.audit.SensitiveInfoDetectionIsIncluded": false, + "o365.audit.UserId": "DlpAgent", + "o365.audit.UserKey": "1153801116545789462", + "o365.audit.UserType": 4, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "rule.id": [ + "51e3d97a-e159-4645-9092-608bd24e083a", + "51e3d97a-1234-4645-9092-608bd24e083a" + ], + "rule.name": [ + "High volume of content detected test", + "Mid volume of content detected test" + ], + "service.type": "o365", + "source.user.email": "asr@testsiem2.onmicrosoft.com", + "user.id": "DlpAgent" + }, + { + "@timestamp": "2020-02-24T20:11:15.000Z", + "destination.user.email": [ + "asr@example.org", + "asr@example.net" + ], + "event.action": "DlpRuleMatch", + "event.category": "file", + "event.code": "ComplianceDLPExchange", + "event.dataset": "o365.audit", + "event.id": "d5a0e7d9-e06f-498c-8413-eb83b7dbd516", + "event.kind": "alert", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.severity": 4, + "event.type": "access", + "fileset.name": "audit", + "host.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "input.type": "log", + "log.offset": 6769, + "message": "Here's the phony data", + "o365.audit.CreationTime": "2020-02-24T20:11:15", + "o365.audit.ExceptionInfo.FalsePositive": true, + "o365.audit.ExchangeMetaData.BCC": [], + "o365.audit.ExchangeMetaData.CC": [ + "asr@example.net" + ], + "o365.audit.ExchangeMetaData.FileSize": 13405, + "o365.audit.ExchangeMetaData.From": "asr@testsiem2.onmicrosoft.com", + "o365.audit.ExchangeMetaData.MessageID": "", + "o365.audit.ExchangeMetaData.RecipientCount": 2, + "o365.audit.ExchangeMetaData.Sent": "2020-02-24T20:11:14", + "o365.audit.ExchangeMetaData.Subject": "Here's the phony data", + "o365.audit.ExchangeMetaData.To": [ + "asr@example.org" + ], + "o365.audit.ExchangeMetaData.UniqueID": "8e103f2f-b293-4062-38b8-08d7b965b2fa", + "o365.audit.Id": "d5a0e7d9-e06f-498c-8413-eb83b7dbd516", + "o365.audit.IncidentId": "c1dc582b-fa61-6020-1800-08d7b966ec64", + "o365.audit.ObjectId": "", + "o365.audit.Operation": "DlpRuleMatch", + "o365.audit.OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "o365.audit.PolicyDetails": [ + { + "PolicyId": "88956b36-45b3-4828-bf53-78603c0e5f58", + "PolicyName": "test", + "Rules": [ + { + "ActionParameters": [ + "GenerateIncidentReport:asr@testsiem2.onmicrosoft.com" + ], + "Actions": [ + "BlockAccess", + "NotifyUser", + "GenerateIncidentReport" + ], + "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], + "SensitiveInformation": [ + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 + }, + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 + } + ] + }, + "RuleId": "51e3d97a-e159-4645-9092-608bd24e083a", + "RuleMode": "Enable", + "RuleName": "High volume of content detected test", + "Severity": "High" + }, + { + "ActionParameters": [ + "GenerateIncidentReport:asr@testsiem2.onmicrosoft.com" + ], + "Actions": [ + "BlockAccess", + "NotifyUser", + "GenerateIncidentReport" + ], + "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], + "SensitiveInformation": [ + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 + }, + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 + } + ] + }, + "RuleId": "51e3d97a-1234-4645-9092-608bd24e083a", + "RuleMode": "Enable", + "RuleName": "Mid volume of content detected test", + "Severity": "Medium" + } + ] + } + ], + "o365.audit.RecordType": 13, + "o365.audit.SensitiveInfoDetectionIsIncluded": false, + "o365.audit.UserId": "DlpAgent", + "o365.audit.UserKey": "1153801116545789462", + "o365.audit.UserType": 4, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "rule.id": [ + "51e3d97a-e159-4645-9092-608bd24e083a", + "51e3d97a-1234-4645-9092-608bd24e083a" + ], + "rule.name": [ + "High volume of content detected test", + "Mid volume of content detected test" + ], + "service.type": "o365", + "source.user.email": "asr@testsiem2.onmicrosoft.com", + "user.id": "DlpAgent" + }, + { + "@timestamp": "2020-02-24T20:11:15.000Z", + "destination.user.email": [ + "asr@example.org", + "asr@example.net" + ], + "event.action": "DlpRuleMatch", + "event.category": "file", + "event.code": "ComplianceDLPExchange", + "event.dataset": "o365.audit", + "event.id": "a42123a9-1c07-4dde-9be6-ac71cb9fd16b", + "event.kind": "alert", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.severity": 2, + "event.type": "access", + "fileset.name": "audit", + "host.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "input.type": "log", + "log.offset": 9041, + "message": "Here's the phony data", + "o365.audit.CreationTime": "2020-02-24T20:11:15", + "o365.audit.ExchangeMetaData.BCC": [], + "o365.audit.ExchangeMetaData.CC": [ + "asr@example.net" + ], + "o365.audit.ExchangeMetaData.FileSize": 13310, + "o365.audit.ExchangeMetaData.From": "asr@testsiem2.onmicrosoft.com", + "o365.audit.ExchangeMetaData.MessageID": "", + "o365.audit.ExchangeMetaData.RecipientCount": 2, + "o365.audit.ExchangeMetaData.Sent": "2020-02-24T20:11:14", + "o365.audit.ExchangeMetaData.Subject": "Here's the phony data", + "o365.audit.ExchangeMetaData.To": [ + "asr@example.org" + ], + "o365.audit.ExchangeMetaData.UniqueID": "8e103f2f-b293-4062-38b8-08d7b965b2fa", + "o365.audit.Id": "a42123a9-1c07-4dde-9be6-ac71cb9fd16b", + "o365.audit.IncidentId": "c1dc582b-fa61-6020-1800-08d7b966ec64", + "o365.audit.ObjectId": "", + "o365.audit.Operation": "DlpRuleMatch", + "o365.audit.OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "o365.audit.PolicyDetails": [ + { + "PolicyId": "88956b36-45b3-4828-bf53-78603c0e5f58", + "PolicyName": "test", + "Rules": [ + { + "Actions": [ + "NotifyUser" + ], + "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], + "SensitiveInformation": [ + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 + }, + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 + } + ] + }, + "RuleId": "8398c03a-a00d-42bb-8f80-ead0ad04e1df", + "RuleMode": "Enable", + "RuleName": "Low volume of content detected test", + "Severity": "Low" + } + ] + } + ], + "o365.audit.RecordType": 13, + "o365.audit.SensitiveInfoDetectionIsIncluded": false, + "o365.audit.UserId": "DlpAgent", + "o365.audit.UserKey": "1153801116545789462", + "o365.audit.UserType": 4, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "rule.id": "8398c03a-a00d-42bb-8f80-ead0ad04e1df", + "rule.name": "Low volume of content detected test", + "service.type": "o365", + "source.user.email": "asr@testsiem2.onmicrosoft.com", + "user.id": "DlpAgent" + }, + { + "@timestamp": "2020-02-24T20:11:15.000Z", + "event.action": "DlpRuleMatch", + "event.category": "file", + "event.code": "ComplianceDLPExchange", + "event.dataset": "o365.audit", + "event.id": "a42123a9-1c07-4dde-9be6-ac71cb9fd16b", + "event.kind": "alert", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Exchange", + "event.severity": 2, + "event.type": "access", + "file.inode": "8e103f2f-b293-4062-38b8-08d7b965b2fa", + "file.mtime": "2020-02-24T12:13:14.000Z", + "file.name": "Company-Internal-Financial.docx", + "file.owner": "alice@testsiem2.onmicrosoft.com", + "fileset.name": "audit", + "host.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "input.type": "log", + "log.offset": 10504, + "o365.audit.CreationTime": "2020-02-24T20:11:15", + "o365.audit.Id": "a42123a9-1c07-4dde-9be6-ac71cb9fd16b", + "o365.audit.IncidentId": "c1dc582b-fa61-6020-1800-08d7b966ec64", + "o365.audit.ObjectId": "", + "o365.audit.Operation": "DlpRuleMatch", + "o365.audit.OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "o365.audit.PolicyDetails": [ + { + "PolicyId": "88956b36-45b3-4828-bf53-78603c0e5f58", + "PolicyName": "test", + "Rules": [ + { + "Actions": [ + "NotifyUser" + ], + "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], + "SensitiveInformation": [ + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 + }, + { + "Confidence": 75, + "Count": 1, + "Location": "Message Body", + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 + } + ] + }, + "RuleId": "8398c03a-a00d-42bb-8f80-ead0ad04e1df", + "RuleMode": "Enable", + "RuleName": "Low volume of content detected test", + "Severity": "Low" + } + ] + } + ], + "o365.audit.RecordType": 13, + "o365.audit.SensitiveInfoDetectionIsIncluded": false, + "o365.audit.SharePointMetaData.FileName": "Company-Internal-Financial.docx", + "o365.audit.SharePointMetaData.FileOwner": "alice@testsiem2.onmicrosoft.com", + "o365.audit.SharePointMetaData.FilePathUrl": "https://example.net/testsiem2.onmicrosoft.com/sharepoint", + "o365.audit.SharePointMetaData.From": "alice@testsiem2.onmicrosoft.com", + "o365.audit.SharePointMetaData.LastModifiedTime": "2020-02-24T12:13:14Z", + "o365.audit.SharePointMetaData.UniqueID": "8e103f2f-b293-4062-38b8-08d7b965b2fa", + "o365.audit.SharePointMetaData.itemCreationTime": "2020-02-20T11:23:45", + "o365.audit.UserId": "DlpAgent", + "o365.audit.UserKey": "1153801116545789462", + "o365.audit.UserType": 4, + "o365.audit.Version": 1, + "o365.audit.Workload": "Exchange", + "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "related.user": [ + "alice", + "alice@testsiem2.onmicrosoft.com" + ], + "rule.id": "8398c03a-a00d-42bb-8f80-ead0ad04e1df", + "rule.name": "Low volume of content detected test", + "service.type": "o365", + "url.original": "https://example.net/testsiem2.onmicrosoft.com/sharepoint", + "user.domain": "testsiem2.onmicrosoft.com", + "user.id": "alice@testsiem2.onmicrosoft.com", + "user.name": "alice" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log new file mode 100644 index 000000000000..1e4f08e2f593 --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log @@ -0,0 +1,10 @@ +{"Site":"9d58b52e-2adb-4976-8c1f-9932c32a8bd2","ObjectId":"https://testsiem.sharepoint.com/sites/SIEMTest","ItemType":"Web","UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","TargetUserOrGroupName":"Everyone except external users","Operation":"AddedToGroup","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","SiteUrl":"https://testsiem.sharepoint.com/sites/SIEMTest","ClientIP":"","EventData":"Site Members","Workload":"SharePoint","EventSource":"SharePoint","RecordType":14,"TargetUserOrGroupType":"SecurityGroup","Version":1,"UserId":"app@sharepoint","WebId":"54cfe39c-0e16-4f8e-bd62-f2ac40248083","CreationTime":"2020-02-17T16:59:50","UserAgent":"","Id":"4d1a6a2b-360c-423d-96e5-08d7b3cacd83","CorrelationId":"4464369f-303c-b000-7cb1-c0cce4f2da18","UserType":0} +{"Site":"9d58b52e-2adb-4976-8c1f-9932c32a8bd2","ObjectId":"https://testsiem.sharepoint.com/sites/SIEMTest","ItemType":"Web","UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","TargetUserOrGroupName":"SHAREPOINT\\system","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","SiteUrl":"https://testsiem.sharepoint.com/sites/SIEMTest","Operation":"AddedToGroup","ClientIP":"","EventData":"Site Owners","Workload":"SharePoint","EventSource":"SharePoint","RecordType":14,"Version":1,"TargetUserOrGroupType":"Member","WebId":"54cfe39c-0e16-4f8e-bd62-f2ac40248083","UserId":"app@sharepoint","UserAgent":"","CreationTime":"2020-02-17T16:59:50","Id":"56696ec0-5a7e-4561-5e88-08d7b3cacd4a","CorrelationId":"4464369f-303c-b000-7cb1-c0cce4f2da18","UserType":0} +{"Site":"9d58b52e-2adb-4976-8c1f-9932c32a8bd2","ObjectId":"https://testsiem.sharepoint.com/sites/SIEMTest","UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","ItemType":"Web","TargetUserOrGroupName":"SIEMTest Owners","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","SiteUrl":"https://testsiem.sharepoint.com/sites/SIEMTest","Operation":"AddedToGroup","ClientIP":"","EventData":"Site Owners","Workload":"SharePoint","EventSource":"SharePoint","RecordType":14,"Version":1,"TargetUserOrGroupType":"SecurityGroup","WebId":"54cfe39c-0e16-4f8e-bd62-f2ac40248083","UserId":"app@sharepoint","CreationTime":"2020-02-17T16:59:50","UserAgent":"","CorrelationId":"4464369f-303c-b000-7cb1-c0cce4f2da18","Id":"b8c880ff-e8fe-407c-9ce9-08d7b3cacd07","UserType":0} +{"Site":"9d58b52e-2adb-4976-8c1f-9932c32a8bd2","ObjectId":"https://testsiem.sharepoint.com/sites/SIEMTest","ItemType":"Web","UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","TargetUserOrGroupName":"SIEMTest Members","Operation":"AddedToGroup","SiteUrl":"https://testsiem.sharepoint.com/sites/SIEMTest","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","ClientIP":"","EventData":"Site Members","Workload":"SharePoint","EventSource":"SharePoint","RecordType":14,"Version":1,"TargetUserOrGroupType":"SecurityGroup","UserId":"app@sharepoint","WebId":"54cfe39c-0e16-4f8e-bd62-f2ac40248083","UserAgent":"","CreationTime":"2020-02-17T16:59:50","CorrelationId":"4464369f-303c-b000-7cb1-c0cce4f2da18","Id":"483f657f-9141-45fc-b141-08d7b3caccfb","UserType":0} +{"Site":"9d58b52e-2adb-4976-8c1f-9932c32a8bd2","ObjectId":"https://testsiem.sharepoint.com/sites/SIEMTest","ItemType":"Web","TargetUserOrGroupName":"SHAREPOINT\\system","UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","SiteUrl":"https://testsiem.sharepoint.com/sites/SIEMTest","Operation":"AddedToGroup","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","ClientIP":"","EventData":"Site Owners","Workload":"SharePoint","EventSource":"SharePoint","RecordType":14,"TargetUserOrGroupType":"Member","Version":1,"UserId":"app@sharepoint","WebId":"54cfe39c-0e16-4f8e-bd62-f2ac40248083","CreationTime":"2020-02-17T16:59:49","UserAgent":"","CorrelationId":"4464369f-303c-b000-7cb1-c0cce4f2da18","Id":"13004a30-d15a-48a5-16ec-08d7b3caccc0","UserType":0} +{"Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com//personal/asr_testsiem_onmicrosoft_com/Sharing Links","ItemType":"List","UserKey":"i:0h.f|membership|1003200096971f55@live.com","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"SharingInheritanceBroken","ClientIP":"79.159.10.151","EventData":"FalseFalse","Workload":"OneDrive","SourceRelativeUrl":"Sharing Links","EventSource":"SharePoint","ListId":"b108938d-3546-4359-925d-a1b54b4db8c2","RecordType":14,"Version":1,"WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-14T18:25:45","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0","Id":"dd162cd7-5df5-4fef-078a-08d7b17b4e95","CorrelationId":"fe71359f-005f-9000-7cb1-ccf5124703db","UserType":0} +{"Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","UserKey":"i:0h.f|membership|1003200096971f55@live.com","ItemType":"File","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"AnonymousLinkCreated","EventData":"Edit","ListId":"2b6ad2bd-0fd7-4556-9c89-a97847085b85","RecordType":14,"Version":1,"WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0","CorrelationId":"fe71359f-005f-9000-7cb1-ccf5124703db","ListItemUniqueId":"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8","UniqueSharingId":"d323b5ea-ceca-4d65-a628-e22ca9296a76","SourceFileName":"Screenshot.png","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com","SourceFileExtension":"png","ClientIP":"79.159.10.151","Workload":"OneDrive","SourceRelativeUrl":"Documents/Screenshot.png","EventSource":"SharePoint","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-14T18:25:45","Id":"1cb54d72-3a76-4a7c-7b3d-08d7b17b4ec9","UserType":0} +{"Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","UserKey":"i:0h.f|membership|1003200096971f55@live.com","ItemType":"File","TargetUserOrGroupName":"SharingLinks.7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8.AnonymousEdit.d323b5ea-ceca-4d65-a628-e22ca9296a76","Operation":"SharingSet","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","EventData":"Contribute","ListId":"2b6ad2bd-0fd7-4556-9c89-a97847085b85","RecordType":14,"Version":1,"WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0","CorrelationId":"fe71359f-005f-9000-7cb1-ccf5124703db","ListItemUniqueId":"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png","SourceFileName":"Screenshot.png","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com","ClientIP":"79.159.10.151","SourceFileExtension":"png","Workload":"OneDrive","SourceRelativeUrl":"Documents/Screenshot.png","EventSource":"SharePoint","TargetUserOrGroupType":"SharePointGroup","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-14T18:25:45","Id":"a8c23ab8-9447-4824-3208-08d7b17b4e5e","UserType":0} +{"Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","TargetUserOrGroupName":"Limited Access System Group","UserKey":"i:0h.f|membership|1003200096971f55@live.com","ItemType":"File","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"SharingSet","EventData":"Limited Access","RecordType":14,"ListId":"2b6ad2bd-0fd7-4556-9c89-a97847085b85","Version":1,"WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0","CorrelationId":"fe71359f-005f-9000-7cb1-ccf5124703db","ListItemUniqueId":"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8","SourceFileName":"Screenshot.png","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com","SourceFileExtension":"png","ClientIP":"79.159.10.151","Workload":"OneDrive","SourceRelativeUrl":"Documents/Screenshot.png","EventSource":"SharePoint","TargetUserOrGroupType":"SharePointGroup","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-14T18:25:44","Id":"88a041e3-2f3a-483c-cf76-08d7b17b4e5b","UserType":0} +{"Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","ItemType":"File","UserKey":"i:0h.f|membership|1003200096971f55@live.com","TargetUserOrGroupName":"4da1e7f54501bb99b6e0ab2ff8749842152ac02ff8c0c8017b0e40e6b67fecdd","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"SharingSet","EventData":"System.LimitedEdit","ListId":"2b6ad2bd-0fd7-4556-9c89-a97847085b85","RecordType":14,"Version":1,"WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0","CorrelationId":"fe71359f-005f-9000-7cb1-ccf5124703db","ListItemUniqueId":"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png","SourceFileName":"Screenshot.png","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com","ClientIP":"79.159.10.151","SourceFileExtension":"png","Workload":"OneDrive","SourceRelativeUrl":"Documents/Screenshot.png","EventSource":"SharePoint","TargetUserOrGroupType":"SecurityGroup","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-14T18:25:44","Id":"98633e47-3540-4e8a-bcfc-08d7b17b4e48","UserType":0} diff --git a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json new file mode 100644 index 000000000000..399814ae9a0d --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json @@ -0,0 +1,586 @@ +[ + { + "@timestamp": "2020-02-17T16:59:50.000Z", + "event.action": "AddedToGroup", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "4d1a6a2b-360c-423d-96e5-08d7b3cacd83", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 0, + "o365.audit.CorrelationId": "4464369f-303c-b000-7cb1-c0cce4f2da18", + "o365.audit.CreationTime": "2020-02-17T16:59:50", + "o365.audit.EventData": "Site Members", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "4d1a6a2b-360c-423d-96e5-08d7b3cacd83", + "o365.audit.ItemType": "Web", + "o365.audit.ObjectId": "https://testsiem.sharepoint.com/sites/SIEMTest", + "o365.audit.Operation": "AddedToGroup", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 14, + "o365.audit.Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", + "o365.audit.SiteUrl": "https://testsiem.sharepoint.com/sites/SIEMTest", + "o365.audit.TargetUserOrGroupName": "Everyone except external users", + "o365.audit.TargetUserOrGroupType": "SecurityGroup", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "54cfe39c-0e16-4f8e-bd62-f2ac40248083", + "o365.audit.Workload": "SharePoint", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.user": "app", + "service.type": "o365", + "user.domain": "sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2020-02-17T16:59:50.000Z", + "event.action": "AddedToGroup", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "56696ec0-5a7e-4561-5e88-08d7b3cacd4a", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 807, + "o365.audit.CorrelationId": "4464369f-303c-b000-7cb1-c0cce4f2da18", + "o365.audit.CreationTime": "2020-02-17T16:59:50", + "o365.audit.EventData": "Site Owners", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "56696ec0-5a7e-4561-5e88-08d7b3cacd4a", + "o365.audit.ItemType": "Web", + "o365.audit.ObjectId": "https://testsiem.sharepoint.com/sites/SIEMTest", + "o365.audit.Operation": "AddedToGroup", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 14, + "o365.audit.Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", + "o365.audit.SiteUrl": "https://testsiem.sharepoint.com/sites/SIEMTest", + "o365.audit.TargetUserOrGroupName": "SHAREPOINT\\system", + "o365.audit.TargetUserOrGroupType": "Member", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "54cfe39c-0e16-4f8e-bd62-f2ac40248083", + "o365.audit.Workload": "SharePoint", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.user": "app", + "service.type": "o365", + "user.domain": "sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2020-02-17T16:59:50.000Z", + "event.action": "AddedToGroup", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "b8c880ff-e8fe-407c-9ce9-08d7b3cacd07", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 1594, + "o365.audit.CorrelationId": "4464369f-303c-b000-7cb1-c0cce4f2da18", + "o365.audit.CreationTime": "2020-02-17T16:59:50", + "o365.audit.EventData": "Site Owners", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "b8c880ff-e8fe-407c-9ce9-08d7b3cacd07", + "o365.audit.ItemType": "Web", + "o365.audit.ObjectId": "https://testsiem.sharepoint.com/sites/SIEMTest", + "o365.audit.Operation": "AddedToGroup", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 14, + "o365.audit.Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", + "o365.audit.SiteUrl": "https://testsiem.sharepoint.com/sites/SIEMTest", + "o365.audit.TargetUserOrGroupName": "SIEMTest Owners", + "o365.audit.TargetUserOrGroupType": "SecurityGroup", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "54cfe39c-0e16-4f8e-bd62-f2ac40248083", + "o365.audit.Workload": "SharePoint", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.user": "app", + "service.type": "o365", + "user.domain": "sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2020-02-17T16:59:50.000Z", + "event.action": "AddedToGroup", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "483f657f-9141-45fc-b141-08d7b3caccfb", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 2385, + "o365.audit.CorrelationId": "4464369f-303c-b000-7cb1-c0cce4f2da18", + "o365.audit.CreationTime": "2020-02-17T16:59:50", + "o365.audit.EventData": "Site Members", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "483f657f-9141-45fc-b141-08d7b3caccfb", + "o365.audit.ItemType": "Web", + "o365.audit.ObjectId": "https://testsiem.sharepoint.com/sites/SIEMTest", + "o365.audit.Operation": "AddedToGroup", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 14, + "o365.audit.Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", + "o365.audit.SiteUrl": "https://testsiem.sharepoint.com/sites/SIEMTest", + "o365.audit.TargetUserOrGroupName": "SIEMTest Members", + "o365.audit.TargetUserOrGroupType": "SecurityGroup", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "54cfe39c-0e16-4f8e-bd62-f2ac40248083", + "o365.audit.Workload": "SharePoint", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.user": "app", + "service.type": "o365", + "user.domain": "sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2020-02-17T16:59:49.000Z", + "event.action": "AddedToGroup", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "13004a30-d15a-48a5-16ec-08d7b3caccc0", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SharePoint", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 3178, + "o365.audit.CorrelationId": "4464369f-303c-b000-7cb1-c0cce4f2da18", + "o365.audit.CreationTime": "2020-02-17T16:59:49", + "o365.audit.EventData": "Site Owners", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "13004a30-d15a-48a5-16ec-08d7b3caccc0", + "o365.audit.ItemType": "Web", + "o365.audit.ObjectId": "https://testsiem.sharepoint.com/sites/SIEMTest", + "o365.audit.Operation": "AddedToGroup", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 14, + "o365.audit.Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", + "o365.audit.SiteUrl": "https://testsiem.sharepoint.com/sites/SIEMTest", + "o365.audit.TargetUserOrGroupName": "SHAREPOINT\\system", + "o365.audit.TargetUserOrGroupType": "Member", + "o365.audit.UserAgent": "", + "o365.audit.UserId": "app@sharepoint", + "o365.audit.UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "54cfe39c-0e16-4f8e-bd62-f2ac40248083", + "o365.audit.Workload": "SharePoint", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.user": "app", + "service.type": "o365", + "user.domain": "sharepoint", + "user.id": "app@sharepoint", + "user.name": "app", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + }, + { + "@timestamp": "2020-02-14T18:25:45.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "SharingInheritanceBroken", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "dd162cd7-5df5-4fef-078a-08d7b17b4e95", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 3965, + "network.type": "ipv4", + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", + "o365.audit.CreationTime": "2020-02-14T18:25:45", + "o365.audit.EventData": "FalseFalse", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "dd162cd7-5df5-4fef-078a-08d7b17b4e95", + "o365.audit.ItemType": "List", + "o365.audit.ListId": "b108938d-3546-4359-925d-a1b54b4db8c2", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com//personal/asr_testsiem_onmicrosoft_com/Sharing Links", + "o365.audit.Operation": "SharingInheritanceBroken", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 14, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com", + "o365.audit.SourceRelativeUrl": "Sharing Links", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "73.0." + }, + { + "@timestamp": "2020-02-14T18:25:45.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "AnonymousLinkCreated", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "1cb54d72-3a76-4a7c-7b3d-08d7b17b4ec9", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 5028, + "network.type": "ipv4", + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", + "o365.audit.CreationTime": "2020-02-14T18:25:45", + "o365.audit.EventData": "Edit", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "1cb54d72-3a76-4a7c-7b3d-08d7b17b4ec9", + "o365.audit.ItemType": "File", + "o365.audit.ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "o365.audit.ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", + "o365.audit.Operation": "AnonymousLinkCreated", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 14, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com", + "o365.audit.SourceFileExtension": "png", + "o365.audit.SourceFileName": "Screenshot.png", + "o365.audit.SourceRelativeUrl": "Documents/Screenshot.png", + "o365.audit.UniqueSharingId": "d323b5ea-ceca-4d65-a628-e22ca9296a76", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "73.0." + }, + { + "@timestamp": "2020-02-14T18:25:45.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "SharingSet", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "a8c23ab8-9447-4824-3208-08d7b17b4e5e", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 6178, + "network.type": "ipv4", + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", + "o365.audit.CreationTime": "2020-02-14T18:25:45", + "o365.audit.EventData": "Contribute", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "a8c23ab8-9447-4824-3208-08d7b17b4e5e", + "o365.audit.ItemType": "File", + "o365.audit.ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "o365.audit.ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", + "o365.audit.Operation": "SharingSet", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 14, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com", + "o365.audit.SourceFileExtension": "png", + "o365.audit.SourceFileName": "Screenshot.png", + "o365.audit.SourceRelativeUrl": "Documents/Screenshot.png", + "o365.audit.TargetUserOrGroupName": "SharingLinks.7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8.AnonymousEdit.d323b5ea-ceca-4d65-a628-e22ca9296a76", + "o365.audit.TargetUserOrGroupType": "SharePointGroup", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "73.0." + }, + { + "@timestamp": "2020-02-14T18:25:44.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "SharingSet", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "88a041e3-2f3a-483c-cf76-08d7b17b4e5b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 7466, + "network.type": "ipv4", + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", + "o365.audit.CreationTime": "2020-02-14T18:25:44", + "o365.audit.EventData": "Limited Access", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "88a041e3-2f3a-483c-cf76-08d7b17b4e5b", + "o365.audit.ItemType": "File", + "o365.audit.ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "o365.audit.ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", + "o365.audit.Operation": "SharingSet", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 14, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com", + "o365.audit.SourceFileExtension": "png", + "o365.audit.SourceFileName": "Screenshot.png", + "o365.audit.SourceRelativeUrl": "Documents/Screenshot.png", + "o365.audit.TargetUserOrGroupName": "Limited Access System Group", + "o365.audit.TargetUserOrGroupType": "SharePointGroup", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "73.0." + }, + { + "@timestamp": "2020-02-14T18:25:44.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "SharingSet", + "event.category": "web", + "event.code": "SharePointSharingOperation", + "event.dataset": "o365.audit", + "event.id": "98633e47-3540-4e8a-bcfc-08d7b17b4e48", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "OneDrive", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 8685, + "network.type": "ipv4", + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", + "o365.audit.CreationTime": "2020-02-14T18:25:44", + "o365.audit.EventData": "System.LimitedEdit", + "o365.audit.EventSource": "SharePoint", + "o365.audit.Id": "98633e47-3540-4e8a-bcfc-08d7b17b4e48", + "o365.audit.ItemType": "File", + "o365.audit.ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "o365.audit.ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", + "o365.audit.ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", + "o365.audit.Operation": "SharingSet", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 14, + "o365.audit.Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "o365.audit.SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com", + "o365.audit.SourceFileExtension": "png", + "o365.audit.SourceFileName": "Screenshot.png", + "o365.audit.SourceRelativeUrl": "Documents/Screenshot.png", + "o365.audit.TargetUserOrGroupName": "4da1e7f54501bb99b6e0ab2ff8749842152ac02ff8c0c8017b0e40e6b67fecdd", + "o365.audit.TargetUserOrGroupType": "SecurityGroup", + "o365.audit.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "o365.audit.Workload": "OneDrive", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "73.0." + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log new file mode 100644 index 000000000000..c3ce778caf06 --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log @@ -0,0 +1,69 @@ +{"InterSystemsId": "03616b3a-fc75-46a1-b34a-2d82fc8f1e7e", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:13", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "c4206c29-46c2-4a6f-a46b-735107705400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "ca0efc24-1b89-4962-8fef-a3ac5437302f"} +{"InterSystemsId": "05d69096-cb90-4690-ae69-8acd5177b3e0", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:53:24", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "ed155e11-60b3-4764-b9aa-05c35f3bb800", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "b53de36d-ea71-4ebf-9b71-feb431bd4eba"} +{"InterSystemsId": "0f5eb16e-8b22-49bf-a927-f6f310fd5879", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:29:01", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "6634d05a-72ec-4c27-8e69-03c57b202000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "10e2d141-839e-4913-ab3d-6cf1f4856eae"} +{"InterSystemsId": "1150acae-a48d-4752-8847-7bacb7fe6e6c", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:52:06", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1809f830-b010-4389-9607-e01ae175ca00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "68b3fd99-0dae-4479-926d-03cc0073dd08"} +{"InterSystemsId": "16e81fcc-add3-46c2-8834-10ce330ffe76", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:53:22", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "2a84e6ff-7340-426e-9d0d-e53092c0c600", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "550af372-cdfd-4286-a1b7-d58df0dcd5d6"} +{"InterSystemsId": "172703f7-324e-415a-a846-c39ca97eb1c8", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:23", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "d66cd29f-596e-4878-b756-92b545d25f00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "b5f59a43-00cf-42c4-8685-a7166fd20e38"} +{"InterSystemsId": "17f8756c-0bfa-49ad-8537-ada4e17a5f7d", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:41", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1b395e92-5d02-408f-8bfe-139098a95500", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "32e7fb94-6289-4fb4-855b-2ab78671ca4e"} +{"InterSystemsId": "22aac168-9d0d-4c70-b94d-adc337ab7b06", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:22", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "280b3410-9d51-4ce3-952d-5bba18ea6600", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "7314a65a-f383-40fb-a0c7-00c6c4cfabc0"} +{"InterSystemsId": "23321532-a321-4c97-909d-9489979777d6", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:52:05", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1909acba-a486-4ffc-805c-09fb73c0bf00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "97b494ee-9ba1-4444-b052-3459bdc9eaa5"} +{"InterSystemsId": "291fb7ce-4e56-47fd-a78e-4e9012f112ab", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:45", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "5e3ce6c0-2b1f-4285-8d4b-75ee78787346", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "9d47f3e0-1b2d-4c1c-b47b-dcf4bc4d5700", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "391870e6-1729-40ae-9ebb-51e0652fec9b"} +{"InterSystemsId": "30e5377b-31d8-42c2-8170-13404afacde7", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:51:49", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "8971516f-3ef3-4de0-b6b8-ebfae386bc00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "a7538fb0-3213-41dc-ab38-1aed787e0cdc"} +{"InterSystemsId": "32e2f533-40fb-4783-8c66-d1bad7e1cc88", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:29:02", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "74ab94ce-8928-4aff-8fa2-a66ad6d41f00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e2a15fc0-6892-41f5-a41c-e515231cbb0a"} +{"InterSystemsId": "3c5d16f4-16a6-45f4-a53d-abb86e35005b", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:08", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "f67a1615-4606-4673-b6fb-68f716345800", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e11538ff-5fe1-4fdd-8c5d-219d85c47bb3"} +{"InterSystemsId": "40077a75-7b58-4623-a64a-f1b7de70fa54", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:27", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "4d1bd763-9b0b-4d5a-bda9-5c7a0a0a6000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e031670b-bb84-45ee-94ff-0e70a8cd1138"} +{"InterSystemsId": "425503c9-ccbf-4674-8f1e-4d56510474fd", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-08T14:33:54", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "37.29.234.179", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "37.29.234.179", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "57ef1056-6ce2-424a-b241-ce3939d00900", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "d39944c4-6766-4a89-8d5a-c789175830ee"} +{"InterSystemsId": "4409eeeb-0ca5-42dd-99d9-4a6b2fabfa4f", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:12", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "0c8fcffc-a810-4a85-b8e2-3a2fda925c00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "6f2b7716-1acc-450d-ae13-afad7e02d07e"} +{"InterSystemsId": "4542ce7e-270b-435e-8f81-ee23ea74be75", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:35", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "9718abaa-220e-49c5-8c9b-588d32b8db00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "47f3c440-3fb7-4b5e-9c20-455470b289d2"} +{"InterSystemsId": "4836e306-1460-4f34-ab55-a74c9a14f50d", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-08T14:38:40", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "37.29.234.179", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "37.29.234.179", "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "2fde8302-c39e-40b6-9c7f-1bb9d4800a00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "5a3435d0-229a-41c8-bd21-b4f2b662d0f6"} +{"InterSystemsId": "4a50a549-adf3-4a22-9037-7fd8cd3d0116", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:16", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1d856a16-b179-41ab-9c0d-af1d2b925100", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "5aff2d1c-b203-46a6-96f0-b8f908f0e968"} +{"InterSystemsId": "4e44a55e-9c0d-4cea-b000-1b79e96dcf57", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:16", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "fc33c54e-38b9-4ef2-a4ee-a3a324a45500", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "3d8033cf-eecd-4eee-87a5-795efd8a1d3d"} +{"InterSystemsId": "4e91c3e1-819e-4ebc-ae68-2037cfc2db92", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:25", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "a063e495-5883-4837-8186-5828f9f2d500", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "8bd0a250-74f6-4eeb-ba20-c5bdbd977013"} +{"InterSystemsId": "50d648cb-466d-4cf4-b2f8-3b7e84f47040", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:04", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "08e18876-6177-487e-b8b5-cf950c1e598c", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000003-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "64613cae-510d-4a52-b486-070b775e5800", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "a6fc9a9b-3b7e-4d33-8c0c-1d33d023e558"} +{"InterSystemsId": "5a453031-0cc3-4577-a589-4c3bf37eed78", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:51:45", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "814a32f0-27fd-4e82-855c-13da15a4c300", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "19d57a4a-d32e-4dc6-971f-3491bc440023"} +{"InterSystemsId": "5cd6215d-e206-4c3f-805d-6e386cbdab7a", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:01", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "9c218a27-ed51-4011-8383-e76850e85000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "0b158f74-e223-43c8-9cfd-5f4442f29fc7"} +{"InterSystemsId": "612b339f-1088-a000-f25f-9c8af4d57894", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:51", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "00000003-0000-0ff1-ce00-000000000000", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000003-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "c847a864-4ba2-4d8b-a9f2-5f1c1c5c5e00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "4819a0c2-2050-4549-ab66-f5b90cbbcc5a"} +{"InterSystemsId": "61eb5713-2687-4c00-a7b2-fde4788c395b", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:29", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "3db9a461-6dd1-4950-b3e3-fbe8c2d5c700", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e94002d9-f6e8-46f9-8702-2a29e908e73d"} +{"InterSystemsId": "61f81224-65fd-4c1b-b388-ee0e25485191", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:37", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "dc0cc415-9a00-470d-bda3-867e11fdd400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "1ca4f684-3a34-44a8-99b8-064d1071768a"} +{"InterSystemsId": "661f2330-3e04-483d-9781-caaa4543cc13", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:51:50", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "01c15486-46e2-487a-91f5-11445da0b600", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "3f6c8eb2-c64b-4dc5-b8fd-be252f8e09c2"} +{"InterSystemsId": "68d7eaa4-aa57-4508-9792-09e80c911aa1", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:42", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "0f698dd4-f011-4d23-a33e-b36416dcb1e6"}], "ObjectId": "0f698dd4-f011-4d23-a33e-b36416dcb1e6", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1590b91f-bffe-4cd8-9028-de52692f5400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "b290b902-b6f2-49f6-b7f8-ea1541d85c8c"} +{"InterSystemsId": "6ae96167-2df2-425c-9f91-27e6345eb782", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:42:59", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "LogonError": "FlowTokenExpired", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "f54da4fe-0a54-45f3-b6ea-39f873eb6000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "RequestType", "Value": "Login:login"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "b0c1c4a7-c6db-4f14-b628-54e37a7a6785"} +{"InterSystemsId": "6ae96167-2df2-425c-9f91-27e6345eb782", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:02", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Failed", "IntraSystemId": "7fa5e138-ac87-4063-a278-56c6c6965e00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "FlowTokenScenario", "Value": "Login"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoginFailed", "Id": "82d834e4-f6f2-476a-902e-e1e9fd6f87d8"} +{"InterSystemsId": "6b9a8662-857f-45e4-bbb2-d106d5aab41e", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:19", "Actor": [{"Type": 0, "ID": "Unknown"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "Unknown", "UserType": 5, "UserKey": "Not Available", "ClientIP": "79.159.10.151", "LogonError": "None", "ApplicationId": "", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "0fee3b91-5e56-45f6-9b3c-792602b1e500", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "RequestType", "Value": "OAuth2:Logout"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e5e2c41a-55ea-4681-9d64-78ddd7145bd2"} +{"InterSystemsId": "6bab76a8-98bd-42e4-b722-a31fe81b030a", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:40", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "c3ebcde8-62f6-4cc4-8e0c-c11c08e76100", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "2a23206a-2f5d-4cb7-aeb8-f285d10e6f80"} +{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:30:58", "Actor": [{"Type": 0, "ID": "Unknown"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "Unknown", "UserType": 5, "UserKey": "Not Available", "ClientIP": "83.57.233.151", "LogonError": "None", "ApplicationId": "", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "8b270c82-1240-4a0a-ac15-1e1116261400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "RequestType", "Value": "OAuth2:Logout"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "c0a0d198-825b-4e39-b868-0a7b0552b209"} +{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:31:33", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013"}], "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ModifiedProperties": [], "ResultStatus": "Failed", "IntraSystemId": "b0faaf7a-913e-4a93-8ccc-ecfaa2b42400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "FlowTokenScenario", "Value": "Login"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoginFailed", "Id": "52b07191-3887-40fb-a001-f4122b0851d1"} +{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:14:25", "Actor": [{"Type": 0, "ID": "Unknown"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "Unknown", "UserType": 5, "UserKey": "Not Available", "ClientIP": "83.57.233.151", "LogonError": "None", "ApplicationId": "", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "d949d6c2-472e-4901-bd70-96cbfe534c00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "RequestType", "Value": "OAuth2:Logout"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "c62fa78d-daab-494e-a638-8321ebd71b9e"} +{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:14:51", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013"}], "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ModifiedProperties": [], "ResultStatus": "Failed", "IntraSystemId": "42c7ec91-1e2f-4505-b728-3a165b244f00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "FlowTokenScenario", "Value": "Login"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoginFailed", "Id": "73c76212-8120-4e21-a383-c80d8327b606"} +{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:29:56", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013"}], "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "8b8e8663-8a8c-4959-a692-e3eece085300", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "29f94716-3717-4671-962e-9c739b764f07"} +{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:51:23", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013"}], "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "361dd87e-3bc9-4f0a-b236-ed7365e28d00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "17d02385-1e30-45b7-949c-4d3dd549a0e7"} +{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:39:45", "Actor": [{"Type": 0, "ID": "Unknown"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "Unknown", "UserType": 5, "UserKey": "Not Available", "ClientIP": "79.159.10.151", "LogonError": "None", "ApplicationId": "", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "32b4cec1-00eb-44ea-be73-adc82387db00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "RequestType", "Value": "OAuth2:Logout"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e3346dd0-ecf6-4676-8765-365c7370b6fe"} +{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:40:16", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013"}], "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ModifiedProperties": [], "ResultStatus": "Failed", "IntraSystemId": "a063e495-5883-4837-8186-582817fdd500", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "FlowTokenScenario", "Value": "Login"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoginFailed", "Id": "a772fd76-847f-4703-90f1-37eb81c9f392"} +{"InterSystemsId": "7766ac63-ae7f-43e6-868a-a5422a96fd8b", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-08T14:33:52", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "37.29.234.179", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "37.29.234.179", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "adc9d69c-8ae6-41c7-b685-331453060a00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "487e4f43-53db-4d6f-a314-5355746d4853"} +{"InterSystemsId": "781c1055-e731-48ee-a806-c3f39ba160e3", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:53:24", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "e7fe21ea-ec03-46dd-b272-0a72ebbeac00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "41f6b2dc-4db6-444c-93d9-829a842b87e2"} +{"InterSystemsId": "82b07417-7b33-4531-952f-d3f719e2356a", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:22", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "280b3410-9d51-4ce3-952d-5bba0bea6600", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "ec9fa29b-6201-456d-b228-ca1759e0bf6c"} +{"InterSystemsId": "8571fe85-eb4a-430d-b468-97900e344923", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-06T09:28:04", "Actor": [{"Type": 0, "ID": "Unknown"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "Unknown", "UserType": 5, "UserKey": "Not Available", "ClientIP": "83.57.233.151", "LogonError": "None", "ApplicationId": "", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "d239e473-6687-4ff9-ac65-0e3c59961600", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "RequestType", "Value": "OAuth2:Logout"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e988fd90-2eff-4ad7-9f02-030a9d73ad6e"} +{"InterSystemsId": "8d662bc0-0011-424d-a7dc-56bfc5a142b4", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:35", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "d0a4e1ed-206d-4602-aaae-406a02c5c300", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "3cbf15a5-84d0-4b0e-ba8e-c3ed43477293"} +{"InterSystemsId": "9270f20a-56f2-493e-b6a7-a859adcaf626", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:36", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "97aa710f-536f-44c8-a8d5-711dc55f5500", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "d2bb7eae-bc6e-42d2-b270-a885ec626235"} +{"InterSystemsId": "97c52753-c410-438f-89e2-22741e5ccc6a", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:51:49", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "c9ef5d5f-e3af-4669-b465-921d8b58bd00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "03de6d95-b955-451c-8311-473b6853d774"} +{"InterSystemsId": "9e0a494b-0db0-4481-a70e-eea6124b7018", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:37", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "e48d4214-364e-4731-b2b6-47dabf529218", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000004-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000004-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "e7a84bcf-41ff-4953-8e99-fb1820685f00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "ac8fcffb-7c44-498d-ad6b-24b85a3a1b59"} +{"InterSystemsId": "9fc4af4c-bf19-4f88-92ac-0fd029ca21bd", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:36", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "56fa424b-64bd-4ea5-abc4-38256f8a5600", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "880fb7bc-5708-42d1-86a8-760c32ac5e6b"} +{"InterSystemsId": "a35e980b-88be-4343-9691-629473e01983", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:37", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "78a2aa65-5026-4124-970a-00e06dc7df00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "30c7afcc-f74d-4b5a-898e-ce72da9386b8"} +{"InterSystemsId": "a89e9b3b-b394-4ecf-8abc-a3f6aaf9237f", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-06T09:28:00", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "bfe22fb6-c763-4972-91a7-5b13d3d51400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "d4f90f07-f5c4-4b36-a81c-6c9bae8660d6"} +{"InterSystemsId": "aca3d9a3-792d-4357-87c6-ef50c3215baa", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:28:52", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "f67a1615-4606-4673-b6fb-68f714fa2200", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "d2ad235b-d73f-4bd8-8aef-6e4909ee1b7c"} +{"InterSystemsId": "ae211253-88cf-4921-9014-2f9beab64fb0", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:37", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "ccfec0f3-498b-43b1-a4c0-fb42f0fb5300", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "8ff18278-32ca-49d1-8658-91e577e0854f"} +{"InterSystemsId": "b3997fcc-6b0e-45b1-b88d-b4ee4a8a7ddc", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:28:52", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "c1ffa732-6576-4f86-9294-44387abc1f00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "a3939990-f7b4-4dc5-af4d-42b70a9485ea"} +{"InterSystemsId": "b3ab6d58-7b90-45d6-95e3-ee11333ebc34", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:01", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "d949d6c2-472e-4901-bd70-96cb90424c00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "61ba70f4-bd75-4bc2-a681-2e219d920e63"} +{"InterSystemsId": "b5c5fd00-b659-413e-8739-6271a4d70506", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:53:12", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "fabbe34e-a6dd-46f8-805f-4ca633c2ae00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "3e17bf8e-92de-45b6-b668-7618ab0e0c95"} +{"InterSystemsId": "b744259e-13e0-43d7-9f56-82cdbd54cf7c", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:52:06", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "ce9f104d-1a1b-488e-9313-b9729e99c400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "f100d714-ffa2-4077-bf90-2f57a3b366c0"} +{"InterSystemsId": "b7d9a234-9fdd-4e36-9cf3-fd825f22697a", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-08T14:33:50", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "37.29.234.179", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "37.29.234.179", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "49092519-a590-4207-b1b3-1d49f9100a00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "4b0f0d57-0766-4621-8aa0-04b8d8b63a78"} +{"InterSystemsId": "bb677f9e-953a-4bde-bb91-0ef8209200a1", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:38", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1da3c318-642f-48dc-836b-e83b27655b00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "8d9a1fa8-7b85-4c5d-9e96-5728d572fb95"} +{"InterSystemsId": "c355f078-53d7-4d60-b836-851a09a98208", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:05", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "20e56367-e902-4200-855b-2ef7b99e5f00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "9756fe5b-ea0d-42fa-a665-be8e0eb100e5"} +{"InterSystemsId": "c5874ff2-7c53-4d51-9252-7abbf0524b1c", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:28:51", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "3188aef9-6b4e-44f2-8455-c28b49552200", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "abbf584f-b3a9-4b6d-9b37-4cc4b802ca4d"} +{"InterSystemsId": "cf2168a1-6537-4ed6-80a5-797c3458180c", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:25:21", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "23f53edd-63a7-4292-9d80-4fbc49c11e00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "d137a5e4-7004-493a-acca-5fb167d1f207"} +{"InterSystemsId": "d21f6867-0670-4c94-b6fa-bde326fcf3c6", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:20", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1fa4819f-605a-4ebe-a2c3-bc11c3f8e200", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "73f0a2ef-35be-4a71-9545-59d879fc8fb2"} +{"InterSystemsId": "d5effb7f-9d39-4893-90f6-9cfeec7ed1a7", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:02", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "f22a3ad7-22e7-4296-a600-e4e9161a6000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "3783acda-5ded-4d69-95b6-3df5344c0ce0"} +{"InterSystemsId": "d960e058-1adb-4a84-a65b-1a6ce367e323", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:03", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1dfdb693-18a1-4cff-aa3e-61feaa356100", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "f67568b1-64c4-4165-bdd9-16a5b9142eef"} +{"InterSystemsId": "e2565aaf-91b0-4ccd-8810-743123eb7383", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:29:02", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "21166e08-6589-4c2d-a325-c97ba45f2200", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "a8114a24-d342-4689-b75e-51e6386763de"} +{"InterSystemsId": "ede626b9-2035-4d02-8330-201c4ae82af6", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:25:21", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "98612804-9aa6-40a4-b72a-808bc7742000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "1eaf9c65-8c67-4cd9-9277-771589113752"} +{"InterSystemsId": "fc5c6c90-a6ba-486c-b685-8d67c529d3aa", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:39", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "6e184f6f-887b-4410-b24d-723031366000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "3c439e46-d454-4767-9320-1e75540821b7"} diff --git a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json new file mode 100644 index 000000000000..948359f11ca2 --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json @@ -0,0 +1,6350 @@ +[ + { + "@timestamp": "2020-02-10T15:13:13.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "ca0efc24-1b89-4962-8fef-a3ac5437302f", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 0, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:13:13", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "ca0efc24-1b89-4962-8fef-a3ac5437302f", + "o365.audit.InterSystemsId": "03616b3a-fc75-46a1-b34a-2d82fc8f1e7e", + "o365.audit.IntraSystemId": "c4206c29-46c2-4a6f-a46b-735107705400", + "o365.audit.ObjectId": "00000002-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T10:53:24.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "b53de36d-ea71-4ebf-9b71-feb431bd4eba", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 1450, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T10:53:24", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "b53de36d-ea71-4ebf-9b71-feb431bd4eba", + "o365.audit.InterSystemsId": "05d69096-cb90-4690-ae69-8acd5177b3e0", + "o365.audit.IntraSystemId": "ed155e11-60b3-4764-b9aa-05c35f3bb800", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-09T15:29:01.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "10e2d141-839e-4913-ab3d-6cf1f4856eae", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 2901, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:29:01", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "10e2d141-839e-4913-ab3d-6cf1f4856eae", + "o365.audit.InterSystemsId": "0f5eb16e-8b22-49bf-a927-f6f310fd5879", + "o365.audit.IntraSystemId": "6634d05a-72ec-4c27-8e69-03c57b202000", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T10:52:06.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "68b3fd99-0dae-4479-926d-03cc0073dd08", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 4293, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T10:52:06", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "68b3fd99-0dae-4479-926d-03cc0073dd08", + "o365.audit.InterSystemsId": "1150acae-a48d-4752-8847-7bacb7fe6e6c", + "o365.audit.IntraSystemId": "1809f830-b010-4389-9607-e01ae175ca00", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T10:53:22.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "550af372-cdfd-4286-a1b7-d58df0dcd5d6", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 5744, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T10:53:22", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "550af372-cdfd-4286-a1b7-d58df0dcd5d6", + "o365.audit.InterSystemsId": "16e81fcc-add3-46c2-8834-10ce330ffe76", + "o365.audit.IntraSystemId": "2a84e6ff-7340-426e-9d0d-e53092c0c600", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:43:23.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "b5f59a43-00cf-42c4-8685-a7166fd20e38", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 7137, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "213.97.47.133", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CreationTime": "2020-02-07T16:43:23", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "b5f59a43-00cf-42c4-8685-a7166fd20e38", + "o365.audit.InterSystemsId": "172703f7-324e-415a-a846-c39ca97eb1c8", + "o365.audit.IntraSystemId": "d66cd29f-596e-4878-b756-92b545d25f00", + "o365.audit.ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:43:41.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "32e7fb94-6289-4fb4-855b-2ab78671ca4e", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 8587, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "213.97.47.133", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CreationTime": "2020-02-07T16:43:41", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "32e7fb94-6289-4fb4-855b-2ab78671ca4e", + "o365.audit.InterSystemsId": "17f8756c-0bfa-49ad-8537-ada4e17a5f7d", + "o365.audit.IntraSystemId": "1b395e92-5d02-408f-8bfe-139098a95500", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:43:22.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "7314a65a-f383-40fb-a0c7-00c6c4cfabc0", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 10037, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "213.97.47.133", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CreationTime": "2020-02-07T16:43:22", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "7314a65a-f383-40fb-a0c7-00c6c4cfabc0", + "o365.audit.InterSystemsId": "22aac168-9d0d-4c70-b94d-adc337ab7b06", + "o365.audit.IntraSystemId": "280b3410-9d51-4ce3-952d-5bba18ea6600", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T10:52:05.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "97b494ee-9ba1-4444-b052-3459bdc9eaa5", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 11429, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T10:52:05", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "97b494ee-9ba1-4444-b052-3459bdc9eaa5", + "o365.audit.InterSystemsId": "23321532-a321-4c97-909d-9489979777d6", + "o365.audit.IntraSystemId": "1909acba-a486-4ffc-805c-09fb73c0bf00", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:43:45.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "391870e6-1729-40ae-9ebb-51e0652fec9b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 12822, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "213.97.47.133", + "o365.audit.ApplicationId": "5e3ce6c0-2b1f-4285-8d4b-75ee78787346", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CreationTime": "2020-02-07T16:43:45", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "391870e6-1729-40ae-9ebb-51e0652fec9b", + "o365.audit.InterSystemsId": "291fb7ce-4e56-47fd-a78e-4e9012f112ab", + "o365.audit.IntraSystemId": "9d47f3e0-1b2d-4c1c-b47b-dcf4bc4d5700", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T10:51:49.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "a7538fb0-3213-41dc-ab38-1aed787e0cdc", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 14214, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T10:51:49", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "a7538fb0-3213-41dc-ab38-1aed787e0cdc", + "o365.audit.InterSystemsId": "30e5377b-31d8-42c2-8170-13404afacde7", + "o365.audit.IntraSystemId": "8971516f-3ef3-4de0-b6b8-ebfae386bc00", + "o365.audit.ObjectId": "00000002-0000-0ff1-ce00-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0ff1-ce00-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-09T15:29:02.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "e2a15fc0-6892-41f5-a41c-e515231cbb0a", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 15664, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:29:02", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "e2a15fc0-6892-41f5-a41c-e515231cbb0a", + "o365.audit.InterSystemsId": "32e2f533-40fb-4783-8c66-d1bad7e1cc88", + "o365.audit.IntraSystemId": "74ab94ce-8928-4aff-8fa2-a66ad6d41f00", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-10T15:13:08.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "e11538ff-5fe1-4fdd-8c5d-219d85c47bb3", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 17114, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:13:08", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "e11538ff-5fe1-4fdd-8c5d-219d85c47bb3", + "o365.audit.InterSystemsId": "3c5d16f4-16a6-45f4-a53d-abb86e35005b", + "o365.audit.IntraSystemId": "f67a1615-4606-4673-b6fb-68f716345800", + "o365.audit.ObjectId": "00000002-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:43:27.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "e031670b-bb84-45ee-94ff-0e70a8cd1138", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 18564, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "213.97.47.133", + "o365.audit.ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CreationTime": "2020-02-07T16:43:27", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "e031670b-bb84-45ee-94ff-0e70a8cd1138", + "o365.audit.InterSystemsId": "40077a75-7b58-4623-a64a-f1b7de70fa54", + "o365.audit.IntraSystemId": "4d1bd763-9b0b-4d5a-bda9-5c7a0a0a6000", + "o365.audit.ObjectId": "00000002-0000-0ff1-ce00-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0ff1-ce00-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-08T14:33:54.000Z", + "client.address": "37.29.234.179", + "client.ip": "37.29.234.179", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "d39944c4-6766-4a89-8d5a-c789175830ee", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 20013, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "37.29.234.179", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "37.29.234.179", + "o365.audit.CreationTime": "2020-02-08T14:33:54", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "d39944c4-6766-4a89-8d5a-c789175830ee", + "o365.audit.InterSystemsId": "425503c9-ccbf-4674-8f1e-4d56510474fd", + "o365.audit.IntraSystemId": "57ef1056-6ce2-424a-b241-ce3939d00900", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "37.29.234.179", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 16299, + "source.as.organization.name": "XFERA Moviles S.A.", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 40.4172, + "source.geo.location.lon": -3.684, + "source.ip": "37.29.234.179", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-10T15:13:12.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "6f2b7716-1acc-450d-ae13-afad7e02d07e", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 21463, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:13:12", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "6f2b7716-1acc-450d-ae13-afad7e02d07e", + "o365.audit.InterSystemsId": "4409eeeb-0ca5-42dd-99d9-4a6b2fabfa4f", + "o365.audit.IntraSystemId": "0c8fcffc-a810-4a85-b8e2-3a2fda925c00", + "o365.audit.ObjectId": "00000002-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T21:38:35.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "47f3c440-3fb7-4b5e-9c20-455470b289d2", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 22913, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T21:38:35", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "47f3c440-3fb7-4b5e-9c20-455470b289d2", + "o365.audit.InterSystemsId": "4542ce7e-270b-435e-8f81-ee23ea74be75", + "o365.audit.IntraSystemId": "9718abaa-220e-49c5-8c9b-588d32b8db00", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-08T14:38:40.000Z", + "client.address": "37.29.234.179", + "client.ip": "37.29.234.179", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "5a3435d0-229a-41c8-bd21-b4f2b662d0f6", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 24306, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "37.29.234.179", + "o365.audit.ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "37.29.234.179", + "o365.audit.CreationTime": "2020-02-08T14:38:40", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "5a3435d0-229a-41c8-bd21-b4f2b662d0f6", + "o365.audit.InterSystemsId": "4836e306-1460-4f34-ab55-a74c9a14f50d", + "o365.audit.IntraSystemId": "2fde8302-c39e-40b6-9c7f-1bb9d4800a00", + "o365.audit.ObjectId": "00000002-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "37.29.234.179", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 16299, + "source.as.organization.name": "XFERA Moviles S.A.", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 40.4172, + "source.geo.location.lon": -3.684, + "source.ip": "37.29.234.179", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-10T15:13:16.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "5aff2d1c-b203-46a6-96f0-b8f908f0e968", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 25755, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:13:16", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "5aff2d1c-b203-46a6-96f0-b8f908f0e968", + "o365.audit.InterSystemsId": "4a50a549-adf3-4a22-9037-7fd8cd3d0116", + "o365.audit.IntraSystemId": "1d856a16-b179-41ab-9c0d-af1d2b925100", + "o365.audit.ObjectId": "00000002-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-10T15:13:16.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "3d8033cf-eecd-4eee-87a5-795efd8a1d3d", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 27205, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:13:16", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "3d8033cf-eecd-4eee-87a5-795efd8a1d3d", + "o365.audit.InterSystemsId": "4e44a55e-9c0d-4cea-b000-1b79e96dcf57", + "o365.audit.IntraSystemId": "fc33c54e-38b9-4ef2-a4ee-a3a324a45500", + "o365.audit.ObjectId": "00000002-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T21:38:25.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "8bd0a250-74f6-4eeb-ba20-c5bdbd977013", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 28655, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T21:38:25", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "8bd0a250-74f6-4eeb-ba20-c5bdbd977013", + "o365.audit.InterSystemsId": "4e91c3e1-819e-4ebc-ae68-2037cfc2db92", + "o365.audit.IntraSystemId": "a063e495-5883-4837-8186-5828f9f2d500", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:44:04.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "a6fc9a9b-3b7e-4d33-8c0c-1d33d023e558", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 30048, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "213.97.47.133", + "o365.audit.ApplicationId": "08e18876-6177-487e-b8b5-cf950c1e598c", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CreationTime": "2020-02-07T16:44:04", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "a6fc9a9b-3b7e-4d33-8c0c-1d33d023e558", + "o365.audit.InterSystemsId": "50d648cb-466d-4cf4-b2f8-3b7e84f47040", + "o365.audit.IntraSystemId": "64613cae-510d-4a52-b486-070b775e5800", + "o365.audit.ObjectId": "00000003-0000-0ff1-ce00-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000003-0000-0ff1-ce00-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T10:51:45.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "19d57a4a-d32e-4dc6-971f-3491bc440023", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 31498, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T10:51:45", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "19d57a4a-d32e-4dc6-971f-3491bc440023", + "o365.audit.InterSystemsId": "5a453031-0cc3-4577-a589-4c3bf37eed78", + "o365.audit.IntraSystemId": "814a32f0-27fd-4e82-855c-13da15a4c300", + "o365.audit.ObjectId": "00000002-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-10T15:13:01.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "0b158f74-e223-43c8-9cfd-5f4442f29fc7", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 32948, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:13:01", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "0b158f74-e223-43c8-9cfd-5f4442f29fc7", + "o365.audit.InterSystemsId": "5cd6215d-e206-4c3f-805d-6e386cbdab7a", + "o365.audit.IntraSystemId": "9c218a27-ed51-4011-8383-e76850e85000", + "o365.audit.ObjectId": "00000002-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:43:51.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "4819a0c2-2050-4549-ab66-f5b90cbbcc5a", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 34398, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "213.97.47.133", + "o365.audit.ApplicationId": "00000003-0000-0ff1-ce00-000000000000", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CreationTime": "2020-02-07T16:43:51", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "4819a0c2-2050-4549-ab66-f5b90cbbcc5a", + "o365.audit.InterSystemsId": "612b339f-1088-a000-f25f-9c8af4d57894", + "o365.audit.IntraSystemId": "c847a864-4ba2-4d8b-a9f2-5f1c1c5c5e00", + "o365.audit.ObjectId": "00000003-0000-0ff1-ce00-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000003-0000-0ff1-ce00-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T21:38:29.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "e94002d9-f6e8-46f9-8702-2a29e908e73d", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 35847, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T21:38:29", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "e94002d9-f6e8-46f9-8702-2a29e908e73d", + "o365.audit.InterSystemsId": "61eb5713-2687-4c00-a7b2-fde4788c395b", + "o365.audit.IntraSystemId": "3db9a461-6dd1-4950-b3e3-fbe8c2d5c700", + "o365.audit.ObjectId": "00000002-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T21:38:37.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "1ca4f684-3a34-44a8-99b8-064d1071768a", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 37297, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T21:38:37", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "1ca4f684-3a34-44a8-99b8-064d1071768a", + "o365.audit.InterSystemsId": "61f81224-65fd-4c1b-b388-ee0e25485191", + "o365.audit.IntraSystemId": "dc0cc415-9a00-470d-bda3-867e11fdd400", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T10:51:50.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "3f6c8eb2-c64b-4dc5-b8fd-be252f8e09c2", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 38748, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T10:51:50", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "3f6c8eb2-c64b-4dc5-b8fd-be252f8e09c2", + "o365.audit.InterSystemsId": "661f2330-3e04-483d-9781-caaa4543cc13", + "o365.audit.IntraSystemId": "01c15486-46e2-487a-91f5-11445da0b600", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-10T15:13:42.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "b290b902-b6f2-49f6-b7f8-ea1541d85c8c", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 40199, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:13:42", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "b290b902-b6f2-49f6-b7f8-ea1541d85c8c", + "o365.audit.InterSystemsId": "68d7eaa4-aa57-4508-9792-09e80c911aa1", + "o365.audit.IntraSystemId": "1590b91f-bffe-4cd8-9028-de52692f5400", + "o365.audit.ObjectId": "0f698dd4-f011-4d23-a33e-b36416dcb1e6", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "0f698dd4-f011-4d23-a33e-b36416dcb1e6", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:42:59.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "b0c1c4a7-c6db-4f14-b628-54e37a7a6785", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 41650, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "213.97.47.133", + "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CreationTime": "2020-02-07T16:42:59", + "o365.audit.ExtendedProperties.RequestType": "Login:login", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.Id": "b0c1c4a7-c6db-4f14-b628-54e37a7a6785", + "o365.audit.InterSystemsId": "6ae96167-2df2-425c-9f91-27e6345eb782", + "o365.audit.IntraSystemId": "f54da4fe-0a54-45f3-b6ea-39f873eb6000", + "o365.audit.LogonError": "FlowTokenExpired", + "o365.audit.ObjectId": "00000002-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:43:02.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "UserLoginFailed", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "82d834e4-f6f2-476a-902e-e1e9fd6f87d8", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "failure", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_failure" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 43031, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "213.97.47.133", + "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CreationTime": "2020-02-07T16:43:02", + "o365.audit.ExtendedProperties.FlowTokenScenario": "Login", + "o365.audit.ExtendedProperties.RequestType": "Login:login", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "1", + "o365.audit.Id": "82d834e4-f6f2-476a-902e-e1e9fd6f87d8", + "o365.audit.InterSystemsId": "6ae96167-2df2-425c-9f91-27e6345eb782", + "o365.audit.IntraSystemId": "7fa5e138-ac87-4063-a278-56c6c6965e00", + "o365.audit.LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", + "o365.audit.ObjectId": "00000002-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoginFailed", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Failed", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T21:38:19.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "e5e2c41a-55ea-4681-9d64-78ddd7145bd2", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 44539, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T21:38:19", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Logout", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.Id": "e5e2c41a-55ea-4681-9d64-78ddd7145bd2", + "o365.audit.InterSystemsId": "6b9a8662-857f-45e4-bbb2-d106d5aab41e", + "o365.audit.IntraSystemId": "0fee3b91-5e56-45f6-9b3c-792602b1e500", + "o365.audit.LogonError": "None", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "Unknown", + "o365.audit.UserKey": "Not Available", + "o365.audit.UserType": 5, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.id": "Unknown", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:43:40.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "2a23206a-2f5d-4cb7-aeb8-f285d10e6f80", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 45648, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "213.97.47.133", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CreationTime": "2020-02-07T16:43:40", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "2a23206a-2f5d-4cb7-aeb8-f285d10e6f80", + "o365.audit.InterSystemsId": "6bab76a8-98bd-42e4-b722-a31fe81b030a", + "o365.audit.IntraSystemId": "c3ebcde8-62f6-4cc4-8e0c-c11c08e76100", + "o365.audit.ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-09T15:30:58.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "c0a0d198-825b-4e39-b868-0a7b0552b209", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 47098, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:30:58", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Logout", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.Id": "c0a0d198-825b-4e39-b868-0a7b0552b209", + "o365.audit.InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", + "o365.audit.IntraSystemId": "8b270c82-1240-4a0a-ac15-1e1116261400", + "o365.audit.LogonError": "None", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "Unknown", + "o365.audit.UserKey": "Not Available", + "o365.audit.UserType": 5, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.id": "Unknown", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-09T15:31:33.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoginFailed", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "52b07191-3887-40fb-a001-f4122b0851d1", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "failure", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_failure" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 48207, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:31:33", + "o365.audit.ExtendedProperties.FlowTokenScenario": "Login", + "o365.audit.ExtendedProperties.RequestType": "Login:login", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "1", + "o365.audit.Id": "52b07191-3887-40fb-a001-f4122b0851d1", + "o365.audit.InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", + "o365.audit.IntraSystemId": "b0faaf7a-913e-4a93-8ccc-ecfaa2b42400", + "o365.audit.LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", + "o365.audit.ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "o365.audit.Operation": "UserLoginFailed", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Failed", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-10T15:14:25.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "c62fa78d-daab-494e-a638-8321ebd71b9e", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 49715, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:14:25", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Logout", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.Id": "c62fa78d-daab-494e-a638-8321ebd71b9e", + "o365.audit.InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", + "o365.audit.IntraSystemId": "d949d6c2-472e-4901-bd70-96cbfe534c00", + "o365.audit.LogonError": "None", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "Unknown", + "o365.audit.UserKey": "Not Available", + "o365.audit.UserType": 5, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.id": "Unknown", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-10T15:14:51.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoginFailed", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "73c76212-8120-4e21-a383-c80d8327b606", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "failure", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_failure" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 50824, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:14:51", + "o365.audit.ExtendedProperties.FlowTokenScenario": "Login", + "o365.audit.ExtendedProperties.RequestType": "Login:login", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "1", + "o365.audit.Id": "73c76212-8120-4e21-a383-c80d8327b606", + "o365.audit.InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", + "o365.audit.IntraSystemId": "42c7ec91-1e2f-4505-b728-3a165b244f00", + "o365.audit.LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", + "o365.audit.ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "o365.audit.Operation": "UserLoginFailed", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Failed", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-10T15:29:56.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "29f94716-3717-4671-962e-9c739b764f07", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 52332, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:29:56", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "29f94716-3717-4671-962e-9c739b764f07", + "o365.audit.InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", + "o365.audit.IntraSystemId": "8b8e8663-8a8c-4959-a692-e3eece085300", + "o365.audit.ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-11T16:51:23.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "17d02385-1e30-45b7-949c-4d3dd549a0e7", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 53782, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-11T16:51:23", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "17d02385-1e30-45b7-949c-4d3dd549a0e7", + "o365.audit.InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", + "o365.audit.IntraSystemId": "361dd87e-3bc9-4f0a-b236-ed7365e28d00", + "o365.audit.ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T21:39:45.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "e3346dd0-ecf6-4676-8765-365c7370b6fe", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 55232, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T21:39:45", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Logout", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.Id": "e3346dd0-ecf6-4676-8765-365c7370b6fe", + "o365.audit.InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", + "o365.audit.IntraSystemId": "32b4cec1-00eb-44ea-be73-adc82387db00", + "o365.audit.LogonError": "None", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "Unknown", + "o365.audit.UserKey": "Not Available", + "o365.audit.UserType": 5, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.id": "Unknown", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T21:40:16.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoginFailed", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "a772fd76-847f-4703-90f1-37eb81c9f392", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "failure", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_failure" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 56341, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T21:40:16", + "o365.audit.ExtendedProperties.FlowTokenScenario": "Login", + "o365.audit.ExtendedProperties.RequestType": "Login:login", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "1", + "o365.audit.Id": "a772fd76-847f-4703-90f1-37eb81c9f392", + "o365.audit.InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", + "o365.audit.IntraSystemId": "a063e495-5883-4837-8186-582817fdd500", + "o365.audit.LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", + "o365.audit.ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "o365.audit.Operation": "UserLoginFailed", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Failed", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-08T14:33:52.000Z", + "client.address": "37.29.234.179", + "client.ip": "37.29.234.179", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "487e4f43-53db-4d6f-a314-5355746d4853", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 57849, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "37.29.234.179", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "37.29.234.179", + "o365.audit.CreationTime": "2020-02-08T14:33:52", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "487e4f43-53db-4d6f-a314-5355746d4853", + "o365.audit.InterSystemsId": "7766ac63-ae7f-43e6-868a-a5422a96fd8b", + "o365.audit.IntraSystemId": "adc9d69c-8ae6-41c7-b685-331453060a00", + "o365.audit.ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "37.29.234.179", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 16299, + "source.as.organization.name": "XFERA Moviles S.A.", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 40.4172, + "source.geo.location.lon": -3.684, + "source.ip": "37.29.234.179", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T10:53:24.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "41f6b2dc-4db6-444c-93d9-829a842b87e2", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 59299, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T10:53:24", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "41f6b2dc-4db6-444c-93d9-829a842b87e2", + "o365.audit.InterSystemsId": "781c1055-e731-48ee-a806-c3f39ba160e3", + "o365.audit.IntraSystemId": "e7fe21ea-ec03-46dd-b272-0a72ebbeac00", + "o365.audit.ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:43:22.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "ec9fa29b-6201-456d-b228-ca1759e0bf6c", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 60750, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "213.97.47.133", + "o365.audit.ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CreationTime": "2020-02-07T16:43:22", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "ec9fa29b-6201-456d-b228-ca1759e0bf6c", + "o365.audit.InterSystemsId": "82b07417-7b33-4531-952f-d3f719e2356a", + "o365.audit.IntraSystemId": "280b3410-9d51-4ce3-952d-5bba0bea6600", + "o365.audit.ObjectId": "00000002-0000-0ff1-ce00-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0ff1-ce00-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-06T09:28:04.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "e988fd90-2eff-4ad7-9f02-030a9d73ad6e", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 62199, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-06T09:28:04", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Logout", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.Id": "e988fd90-2eff-4ad7-9f02-030a9d73ad6e", + "o365.audit.InterSystemsId": "8571fe85-eb4a-430d-b468-97900e344923", + "o365.audit.IntraSystemId": "d239e473-6687-4ff9-ac65-0e3c59961600", + "o365.audit.LogonError": "None", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "Unknown", + "o365.audit.UserKey": "Not Available", + "o365.audit.UserType": 5, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.id": "Unknown", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T21:38:35.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "3cbf15a5-84d0-4b0e-ba8e-c3ed43477293", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 63308, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T21:38:35", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "3cbf15a5-84d0-4b0e-ba8e-c3ed43477293", + "o365.audit.InterSystemsId": "8d662bc0-0011-424d-a7dc-56bfc5a142b4", + "o365.audit.IntraSystemId": "d0a4e1ed-206d-4602-aaae-406a02c5c300", + "o365.audit.ObjectId": "00000002-0000-0ff1-ce00-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0ff1-ce00-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-10T15:13:36.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "d2bb7eae-bc6e-42d2-b270-a885ec626235", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 64758, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:13:36", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "d2bb7eae-bc6e-42d2-b270-a885ec626235", + "o365.audit.InterSystemsId": "9270f20a-56f2-493e-b6a7-a859adcaf626", + "o365.audit.IntraSystemId": "97aa710f-536f-44c8-a8d5-711dc55f5500", + "o365.audit.ObjectId": "00000002-0000-0ff1-ce00-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0ff1-ce00-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T10:51:49.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "03de6d95-b955-451c-8311-473b6853d774", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 66208, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T10:51:49", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "03de6d95-b955-451c-8311-473b6853d774", + "o365.audit.InterSystemsId": "97c52753-c410-438f-89e2-22741e5ccc6a", + "o365.audit.IntraSystemId": "c9ef5d5f-e3af-4669-b465-921d8b58bd00", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:43:37.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "ac8fcffb-7c44-498d-ad6b-24b85a3a1b59", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 67601, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "213.97.47.133", + "o365.audit.ApplicationId": "e48d4214-364e-4731-b2b6-47dabf529218", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CreationTime": "2020-02-07T16:43:37", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "ac8fcffb-7c44-498d-ad6b-24b85a3a1b59", + "o365.audit.InterSystemsId": "9e0a494b-0db0-4481-a70e-eea6124b7018", + "o365.audit.IntraSystemId": "e7a84bcf-41ff-4953-8e99-fb1820685f00", + "o365.audit.ObjectId": "00000004-0000-0ff1-ce00-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000004-0000-0ff1-ce00-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-10T15:13:36.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "880fb7bc-5708-42d1-86a8-760c32ac5e6b", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 69051, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:13:36", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "880fb7bc-5708-42d1-86a8-760c32ac5e6b", + "o365.audit.InterSystemsId": "9fc4af4c-bf19-4f88-92ac-0fd029ca21bd", + "o365.audit.IntraSystemId": "56fa424b-64bd-4ea5-abc4-38256f8a5600", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T21:38:37.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "30c7afcc-f74d-4b5a-898e-ce72da9386b8", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 70444, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T21:38:37", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "30c7afcc-f74d-4b5a-898e-ce72da9386b8", + "o365.audit.InterSystemsId": "a35e980b-88be-4343-9691-629473e01983", + "o365.audit.IntraSystemId": "78a2aa65-5026-4124-970a-00e06dc7df00", + "o365.audit.ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-06T09:28:00.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "d4f90f07-f5c4-4b36-a81c-6c9bae8660d6", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 71895, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-06T09:28:00", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "d4f90f07-f5c4-4b36-a81c-6c9bae8660d6", + "o365.audit.InterSystemsId": "a89e9b3b-b394-4ecf-8abc-a3f6aaf9237f", + "o365.audit.IntraSystemId": "bfe22fb6-c763-4972-91a7-5b13d3d51400", + "o365.audit.ObjectId": "00000002-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-09T15:28:52.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "d2ad235b-d73f-4bd8-8aef-6e4909ee1b7c", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 73345, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:28:52", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "d2ad235b-d73f-4bd8-8aef-6e4909ee1b7c", + "o365.audit.InterSystemsId": "aca3d9a3-792d-4357-87c6-ef50c3215baa", + "o365.audit.IntraSystemId": "f67a1615-4606-4673-b6fb-68f714fa2200", + "o365.audit.ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-10T15:13:37.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "8ff18278-32ca-49d1-8658-91e577e0854f", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 74795, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:13:37", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "8ff18278-32ca-49d1-8658-91e577e0854f", + "o365.audit.InterSystemsId": "ae211253-88cf-4921-9014-2f9beab64fb0", + "o365.audit.IntraSystemId": "ccfec0f3-498b-43b1-a4c0-fb42f0fb5300", + "o365.audit.ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-09T15:28:52.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "a3939990-f7b4-4dc5-af4d-42b70a9485ea", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 76246, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:28:52", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "a3939990-f7b4-4dc5-af4d-42b70a9485ea", + "o365.audit.InterSystemsId": "b3997fcc-6b0e-45b1-b88d-b4ee4a8a7ddc", + "o365.audit.IntraSystemId": "c1ffa732-6576-4f86-9294-44387abc1f00", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-10T15:13:01.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "61ba70f4-bd75-4bc2-a681-2e219d920e63", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 77696, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:13:01", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "61ba70f4-bd75-4bc2-a681-2e219d920e63", + "o365.audit.InterSystemsId": "b3ab6d58-7b90-45d6-95e3-ee11333ebc34", + "o365.audit.IntraSystemId": "d949d6c2-472e-4901-bd70-96cb90424c00", + "o365.audit.ObjectId": "00000002-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T10:53:12.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "3e17bf8e-92de-45b6-b668-7618ab0e0c95", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 79146, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T10:53:12", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Success", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "3e17bf8e-92de-45b6-b668-7618ab0e0c95", + "o365.audit.InterSystemsId": "b5c5fd00-b659-413e-8739-6271a4d70506", + "o365.audit.IntraSystemId": "fabbe34e-a6dd-46f8-805f-4ca633c2ae00", + "o365.audit.ObjectId": "00000002-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T10:52:06.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "f100d714-ffa2-4077-bf90-2f57a3b366c0", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 80596, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T10:52:06", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "f100d714-ffa2-4077-bf90-2f57a3b366c0", + "o365.audit.InterSystemsId": "b744259e-13e0-43d7-9f56-82cdbd54cf7c", + "o365.audit.IntraSystemId": "ce9f104d-1a1b-488e-9313-b9729e99c400", + "o365.audit.ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-08T14:33:50.000Z", + "client.address": "37.29.234.179", + "client.ip": "37.29.234.179", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "4b0f0d57-0766-4621-8aa0-04b8d8b63a78", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 82047, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "37.29.234.179", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "37.29.234.179", + "o365.audit.CreationTime": "2020-02-08T14:33:50", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "4b0f0d57-0766-4621-8aa0-04b8d8b63a78", + "o365.audit.InterSystemsId": "b7d9a234-9fdd-4e36-9cf3-fd825f22697a", + "o365.audit.IntraSystemId": "49092519-a590-4207-b1b3-1d49f9100a00", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "37.29.234.179", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 16299, + "source.as.organization.name": "XFERA Moviles S.A.", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 40.4172, + "source.geo.location.lon": -3.684, + "source.ip": "37.29.234.179", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-10T15:13:38.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "8d9a1fa8-7b85-4c5d-9e96-5728d572fb95", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 83439, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-10T15:13:38", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "8d9a1fa8-7b85-4c5d-9e96-5728d572fb95", + "o365.audit.InterSystemsId": "bb677f9e-953a-4bde-bb91-0ef8209200a1", + "o365.audit.IntraSystemId": "1da3c318-642f-48dc-836b-e83b27655b00", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:44:05.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "9756fe5b-ea0d-42fa-a665-be8e0eb100e5", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 84890, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "213.97.47.133", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CreationTime": "2020-02-07T16:44:05", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "9756fe5b-ea0d-42fa-a665-be8e0eb100e5", + "o365.audit.InterSystemsId": "c355f078-53d7-4d60-b836-851a09a98208", + "o365.audit.IntraSystemId": "20e56367-e902-4200-855b-2ef7b99e5f00", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-09T15:28:51.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "abbf584f-b3a9-4b6d-9b37-4cc4b802ca4d", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 86340, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:28:51", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "abbf584f-b3a9-4b6d-9b37-4cc4b802ca4d", + "o365.audit.InterSystemsId": "c5874ff2-7c53-4d51-9252-7abbf0524b1c", + "o365.audit.IntraSystemId": "3188aef9-6b4e-44f2-8455-c28b49552200", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-09T15:25:21.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "d137a5e4-7004-493a-acca-5fb167d1f207", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 87732, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:25:21", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "d137a5e4-7004-493a-acca-5fb167d1f207", + "o365.audit.InterSystemsId": "cf2168a1-6537-4ed6-80a5-797c3458180c", + "o365.audit.IntraSystemId": "23f53edd-63a7-4292-9d80-4fbc49c11e00", + "o365.audit.ObjectId": "00000003-0000-0000-c000-000000000000", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-12T21:38:20.000Z", + "client.address": "79.159.10.151", + "client.ip": "79.159.10.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "73f0a2ef-35be-4a71-9545-59d879fc8fb2", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 89182, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "79.159.10.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "79.159.10.151", + "o365.audit.CreationTime": "2020-02-12T21:38:20", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "False", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "73f0a2ef-35be-4a71-9545-59d879fc8fb2", + "o365.audit.InterSystemsId": "d21f6867-0670-4c94-b6fa-bde326fcf3c6", + "o365.audit.IntraSystemId": "1fa4819f-605a-4ebe-a2c3-bc11c3f8e200", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "79.159.10.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:44:02.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "3783acda-5ded-4d69-95b6-3df5344c0ce0", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 90575, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "213.97.47.133", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CreationTime": "2020-02-07T16:44:02", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "3783acda-5ded-4d69-95b6-3df5344c0ce0", + "o365.audit.InterSystemsId": "d5effb7f-9d39-4893-90f6-9cfeec7ed1a7", + "o365.audit.IntraSystemId": "f22a3ad7-22e7-4296-a600-e4e9161a6000", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:44:03.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "f67568b1-64c4-4165-bdd9-16a5b9142eef", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 91967, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "213.97.47.133", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CreationTime": "2020-02-07T16:44:03", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "f67568b1-64c4-4165-bdd9-16a5b9142eef", + "o365.audit.InterSystemsId": "d960e058-1adb-4a84-a65b-1a6ce367e323", + "o365.audit.IntraSystemId": "1dfdb693-18a1-4cff-aa3e-61feaa356100", + "o365.audit.ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-09T15:29:02.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "a8114a24-d342-4689-b75e-51e6386763de", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 93417, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:29:02", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "a8114a24-d342-4689-b75e-51e6386763de", + "o365.audit.InterSystemsId": "e2565aaf-91b0-4ccd-8810-743123eb7383", + "o365.audit.IntraSystemId": "21166e08-6589-4c2d-a325-c97ba45f2200", + "o365.audit.ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-09T15:25:21.000Z", + "client.address": "83.57.233.151", + "client.ip": "83.57.233.151", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "1eaf9c65-8c67-4cd9-9277-771589113752", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 94867, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "83.57.233.151", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "83.57.233.151", + "o365.audit.CreationTime": "2020-02-09T15:25:21", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "1eaf9c65-8c67-4cd9-9277-771589113752", + "o365.audit.InterSystemsId": "ede626b9-2035-4d02-8330-201c4ae82af6", + "o365.audit.IntraSystemId": "98612804-9aa6-40a4-b72a-808bc7742000", + "o365.audit.ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "83.57.233.151", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "83.57.233.151", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T16:43:39.000Z", + "client.address": "213.97.47.133", + "client.ip": "213.97.47.133", + "event.action": "UserLoggedIn", + "event.category": "authentication", + "event.code": "AzureActiveDirectoryStsLogon", + "event.dataset": "o365.audit", + "event.id": "3c439e46-d454-4767-9320-1e75540821b7", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "AzureActiveDirectory", + "event.type": [ + "start", + "authentication_success" + ], + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 96317, + "network.type": "ipv4", + "o365.audit.Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.ActorIpAddress": "213.97.47.133", + "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "o365.audit.AzureActiveDirectoryEventType": 1, + "o365.audit.ClientIP": "213.97.47.133", + "o365.audit.CreationTime": "2020-02-07T16:43:39", + "o365.audit.ExtendedProperties.KeepMeSignedIn": "True", + "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize", + "o365.audit.ExtendedProperties.ResultStatusDetail": "Redirect", + "o365.audit.ExtendedProperties.UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "o365.audit.ExtendedProperties.UserAuthenticationMethod": "9", + "o365.audit.Id": "3c439e46-d454-4767-9320-1e75540821b7", + "o365.audit.InterSystemsId": "fc5c6c90-a6ba-486c-b685-8d67c529d3aa", + "o365.audit.IntraSystemId": "6e184f6f-887b-4410-b24d-723031366000", + "o365.audit.ObjectId": "Unknown", + "o365.audit.Operation": "UserLoggedIn", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 15, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.SupportTicketId": "", + "o365.audit.Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "AzureActiveDirectory", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.ip": "213.97.47.133", + "related.user": "asr", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "213.97.47.133", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/audit/test/22-yammer.log b/x-pack/filebeat/module/o365/audit/test/22-yammer.log new file mode 100644 index 000000000000..1c2fa3766b2b --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/22-yammer.log @@ -0,0 +1,2 @@ +{"ObjectId":"Sales","Id":"2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594","CreationTime":"2020-02-28T09:42:45","UserKey":"100320009d6edf94","YammerNetworkId":5846122497,"Operation":"GroupCreation","ClientIP":"79.159.10.151:12345","ActorYammerUserId":36787265537,"UserType":0,"ResultStatus":"TRUE","RecordType":22,"Workload":"Yammer","Version":1,"GroupName":"Sales","OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","UserId":"alice@testsiem2.onmicrosoft.com","ActorUserId":"alice@testsiem2.onmicrosoft.com"} +{"CreationTime":"2020-02-28T09:39:20","ActorUserId":"asr@testsiem2.onmicrosoft.com","ObjectId":"Company group","UserKey":"100320009d292e16","Id":"3f3e7f1c-84c1-55fc-9bb2-c8b8563eae06","ActorYammerUserId":36085768193,"ClientIP":"[fdfd::555]:12346","UserId":"asr@testsiem2.onmicrosoft.com","Operation":"GroupCreation","ResultStatus":"TRUE","UserType":0,"Workload":"Yammer","Version":1,"OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","YammerNetworkId":5846122497,"RecordType":22,"GroupName":"Company group"} diff --git a/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json b/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json new file mode 100644 index 000000000000..d0ed002d5221 --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json @@ -0,0 +1,109 @@ +[ + { + "@timestamp": "2020-02-28T09:42:45.000Z", + "client.address": "79.159.10.151:12345", + "client.ip": "79.159.10.151", + "client.port": "12345", + "event.action": "GroupCreation", + "event.category": "iam", + "event.code": "Yammer", + "event.dataset": "o365.audit", + "event.id": "2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Yammer", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "audit", + "group.name": "Sales", + "host.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "input.type": "log", + "log.offset": 0, + "network.type": "ipv4", + "o365.audit.ActorUserId": "alice@testsiem2.onmicrosoft.com", + "o365.audit.ActorYammerUserId": 36787265537, + "o365.audit.ClientIP": "79.159.10.151:12345", + "o365.audit.CreationTime": "2020-02-28T09:42:45", + "o365.audit.GroupName": "Sales", + "o365.audit.Id": "2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594", + "o365.audit.ObjectId": "Sales", + "o365.audit.Operation": "GroupCreation", + "o365.audit.OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "o365.audit.RecordType": 22, + "o365.audit.ResultStatus": "TRUE", + "o365.audit.UserId": "alice@testsiem2.onmicrosoft.com", + "o365.audit.UserKey": "100320009d6edf94", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "Yammer", + "o365.audit.YammerNetworkId": 5846122497, + "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "related.ip": "79.159.10.151", + "service.type": "o365", + "source.as.number": 3352, + "source.as.organization.name": "Telefonica De Espana", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "79.159.10.151", + "source.port": "12345", + "user.email": "alice@testsiem2.onmicrosoft.com", + "user.id": "36787265537" + }, + { + "@timestamp": "2020-02-28T09:39:20.000Z", + "client.address": "[fdfd::555]:12346", + "client.ip": "fdfd::555", + "client.port": "12346", + "event.action": "GroupCreation", + "event.category": "iam", + "event.code": "Yammer", + "event.dataset": "o365.audit", + "event.id": "3f3e7f1c-84c1-55fc-9bb2-c8b8563eae06", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "Yammer", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "audit", + "group.name": "Company group", + "host.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "input.type": "log", + "log.offset": 503, + "network.type": "ipv6", + "o365.audit.ActorUserId": "asr@testsiem2.onmicrosoft.com", + "o365.audit.ActorYammerUserId": 36085768193, + "o365.audit.ClientIP": "[fdfd::555]:12346", + "o365.audit.CreationTime": "2020-02-28T09:39:20", + "o365.audit.GroupName": "Company group", + "o365.audit.Id": "3f3e7f1c-84c1-55fc-9bb2-c8b8563eae06", + "o365.audit.ObjectId": "Company group", + "o365.audit.Operation": "GroupCreation", + "o365.audit.OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "o365.audit.RecordType": 22, + "o365.audit.ResultStatus": "TRUE", + "o365.audit.UserId": "asr@testsiem2.onmicrosoft.com", + "o365.audit.UserKey": "100320009d292e16", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "Yammer", + "o365.audit.YammerNetworkId": 5846122497, + "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "related.ip": "fdfd::555", + "service.type": "o365", + "source.ip": "fdfd::555", + "source.port": "12346", + "user.email": "asr@testsiem2.onmicrosoft.com", + "user.id": "36085768193" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log b/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log new file mode 100644 index 000000000000..d3d294cee903 --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log @@ -0,0 +1,4 @@ +{"RecordType":25,"Version":1,"TeamGuid":"19:5ad83cb367fc48358e759dccff238f46@thread.skype","UserId":"Application","UserKey":"","CreationTime":"2020-02-17T16:59:44","TeamName":"SIEMTest","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"TeamCreated","Id":"49fa9883-50a9-4c9c-8e12-57e0948a9d8a","UserType":5,"Workload":"MicrosoftTeams"} +{"TeamGuid":"19:5ad83cb367fc48358e759dccff238f46@thread.skype","UserKey":"755e500a-6c03-46b0-b53b-282f23374e3b","TeamName":"SIEMTest","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"MemberAdded","Workload":"MicrosoftTeams","RecordType":25,"Version":1,"UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-17T16:59:47","ItemName":"SIEMTest","Id":"3a951c24-3214-5529-b2fe-097628a39ecd","UserType":0,"Members":[{"Role":1,"UPN":"david@testsiem.onmicrosoft.com","DisplayName":"David"},{"Role":1,"UPN":"chuck@testsiem.onmicrosoft.com","DisplayName":"Chuck"},{"Role":1,"UPN":"bob@testsiem.onmicrosoft.com","DisplayName":"Bob"},{"Role":1,"UPN":"alice@testsiem.onmicrosoft.com","DisplayName":"Alice"}]} +{"TeamGuid":"19:5ad83cb367fc48358e759dccff238f46@thread.skype","UserKey":"755e500a-6c03-46b0-b53b-282f23374e3b","TeamName":"SIEMTest","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"MemberAdded","Workload":"MicrosoftTeams","RecordType":25,"Version":1,"UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-17T16:59:44","ItemName":"SIEMTest","Id":"3350cfd2-1020-5b11-99d8-2701f3a29ea3","UserType":0,"Members":[{"Role":2,"UPN":"asr@testsiem.onmicrosoft.com","DisplayName":"Alan Smithee"}]} +{"RecordType":25,"Version":1,"ObjectId":"Unknown (Unknown)","UserId":"bob@testsiem.onmicrosoft.com","UserKey":"d0e0cfb0-284d-4b0a-83fe-dd543a1c1ed0","CreationTime":"2020-02-17T16:59:34","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Id":"d7636db2-859f-437e-8dff-573726578ad7","Operation":"TeamsSessionStarted","UserType":0,"Workload":"MicrosoftTeams"} diff --git a/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json b/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json new file mode 100644 index 000000000000..40e3e3dd3ada --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json @@ -0,0 +1,169 @@ +[ + { + "@timestamp": "2020-02-17T16:59:44.000Z", + "event.action": "TeamCreated", + "event.category": "web", + "event.code": "MicrosoftTeams", + "event.dataset": "o365.audit", + "event.id": "49fa9883-50a9-4c9c-8e12-57e0948a9d8a", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "MicrosoftTeams", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 0, + "o365.audit.CreationTime": "2020-02-17T16:59:44", + "o365.audit.Id": "49fa9883-50a9-4c9c-8e12-57e0948a9d8a", + "o365.audit.Operation": "TeamCreated", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 25, + "o365.audit.TeamGuid": "19:5ad83cb367fc48358e759dccff238f46@thread.skype", + "o365.audit.TeamName": "SIEMTest", + "o365.audit.UserId": "Application", + "o365.audit.UserKey": "", + "o365.audit.UserType": 5, + "o365.audit.Version": 1, + "o365.audit.Workload": "MicrosoftTeams", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "service.type": "o365", + "user.id": "Application" + }, + { + "@timestamp": "2020-02-17T16:59:47.000Z", + "event.action": "MemberAdded", + "event.category": "web", + "event.code": "MicrosoftTeams", + "event.dataset": "o365.audit", + "event.id": "3a951c24-3214-5529-b2fe-097628a39ecd", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "MicrosoftTeams", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 354, + "o365.audit.CreationTime": "2020-02-17T16:59:47", + "o365.audit.Id": "3a951c24-3214-5529-b2fe-097628a39ecd", + "o365.audit.ItemName": "SIEMTest", + "o365.audit.Members": [ + { + "DisplayName": "David", + "Role": 1, + "UPN": "david@testsiem.onmicrosoft.com" + }, + { + "DisplayName": "Chuck", + "Role": 1, + "UPN": "chuck@testsiem.onmicrosoft.com" + }, + { + "DisplayName": "Bob", + "Role": 1, + "UPN": "bob@testsiem.onmicrosoft.com" + }, + { + "DisplayName": "Alice", + "Role": 1, + "UPN": "alice@testsiem.onmicrosoft.com" + } + ], + "o365.audit.Operation": "MemberAdded", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 25, + "o365.audit.TeamGuid": "19:5ad83cb367fc48358e759dccff238f46@thread.skype", + "o365.audit.TeamName": "SIEMTest", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "MicrosoftTeams", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.user": "asr", + "service.type": "o365", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-17T16:59:44.000Z", + "event.action": "MemberAdded", + "event.category": "web", + "event.code": "MicrosoftTeams", + "event.dataset": "o365.audit", + "event.id": "3350cfd2-1020-5b11-99d8-2701f3a29ea3", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "MicrosoftTeams", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 1079, + "o365.audit.CreationTime": "2020-02-17T16:59:44", + "o365.audit.Id": "3350cfd2-1020-5b11-99d8-2701f3a29ea3", + "o365.audit.ItemName": "SIEMTest", + "o365.audit.Members": [ + { + "DisplayName": "Alan Smithee", + "Role": 2, + "UPN": "asr@testsiem.onmicrosoft.com" + } + ], + "o365.audit.Operation": "MemberAdded", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 25, + "o365.audit.TeamGuid": "19:5ad83cb367fc48358e759dccff238f46@thread.skype", + "o365.audit.TeamName": "SIEMTest", + "o365.audit.UserId": "asr@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "755e500a-6c03-46b0-b53b-282f23374e3b", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "MicrosoftTeams", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.user": "asr", + "service.type": "o365", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-17T16:59:34.000Z", + "event.action": "TeamsSessionStarted", + "event.category": "web", + "event.code": "MicrosoftTeams", + "event.dataset": "o365.audit", + "event.id": "d7636db2-859f-437e-8dff-573726578ad7", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "MicrosoftTeams", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 1597, + "o365.audit.CreationTime": "2020-02-17T16:59:34", + "o365.audit.Id": "d7636db2-859f-437e-8dff-573726578ad7", + "o365.audit.ObjectId": "Unknown (Unknown)", + "o365.audit.Operation": "TeamsSessionStarted", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 25, + "o365.audit.UserId": "bob@testsiem.onmicrosoft.com", + "o365.audit.UserKey": "d0e0cfb0-284d-4b0a-83fe-dd543a1c1ed0", + "o365.audit.UserType": 0, + "o365.audit.Version": 1, + "o365.audit.Workload": "MicrosoftTeams", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.user": "bob", + "service.type": "o365", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "bob@testsiem.onmicrosoft.com", + "user.name": "bob" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log b/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log new file mode 100644 index 000000000000..7a61bbe30f62 --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log @@ -0,0 +1,3 @@ +{"Category": "AccessGovernance", "UserKey": "SecurityComplianceAlerts", "Operation": "AlertEntityGenerated", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AlertEntityId" : "asr@testsiem.onmicrosoft.com", "Source" : "Office 365 Security & Compliance", "Name" : "Elevation of Exchange admin privilege", "AlertType" : "System", "RecordType" : 40, "Version" : 1, "Status" : "Active", "ObjectId" : "asr@testsiem.onmicrosoft.com", "ResultStatus" : "Succeeded", "Comments" : "New alert", "AlertLinks" : [ { "AlertLinkHref" : "http://example.net/alert" }, { "AlertLinkHref" : "http://example.net/info" } ], "Severity" : "Low", "Data" : "{\"etype\":\"User\",\"eid\":\"asr@testsiem.onmicrosoft.com\",\"tid\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ts\":\"2020-02-14T18:54:45.0000000Z\",\"te\":\"2020-02-14T18:54:45.0000000Z\",\"op\":\"GrantAdminPermission\",\"tdc\":\"1\",\"suid\":\"asr@testsiem.onmicrosoft.com\",\"ut\":\"Admin\",\"lon\":\"GrantAdminPermission\"}", "Workload" : "SecurityComplianceCenter", "EntityType" : "User", "AlertId" : "5ba6e029-8b6e-13bd-b800-08d7b180173c", "UserId" : "SecurityComplianceAlerts", "CreationTime" : "2020-02-14T19:00:00", "Id" : "448854d7-81f6-4a06-d31a-08d7b1c1fb2f", "UserType" : 4, "PolicyId" : "17d51759-88e1-40c1-8df3-20bcf2e43057" } +{ "Status" : "Active", "Category" : "AccessGovernance", "ResultStatus" : "Succeeded", "ObjectId" : "5ba6e029-8b6e-13bd-b800-08d7b180173c", "Comments" : "New alert", "UserKey" : "SecurityComplianceAlerts", "AlertLinks" : [ { "AlertLinkHref" : "http://example.net/single" } ], "Data" : "{\"f3u\":\"asr@testsiem.onmicrosoft.com\",\"ts\":\"2020-02-14T18:45:00.0000000Z\",\"te\":\"2020-02-14T19:00:00.0000000Z\",\"op\":\"GrantAdminPermission\",\"wl\":\"Exchange\",\"tid\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"tdc\":\"1\",\"reid\":\"23a5e271-e297-4f35-ff57-08d7b17f5bf2\",\"rid\":\"f81f1b69-dc60-4ded-918e-e17d5c73b29f\",\"cid\":\"17d51759-88e1-40c1-8df3-20bcf2e43057\",\"ad\":\"This alert is triggered when someone in your organization becomes an Exchange admin or gets new Exchange admin permissions -V1.0.0.1\",\"lon\":\"GrantAdminPermission\",\"an\":\"Elevation of Exchange admin privilege\",\"sev\":\"Low\"}", "Severity" : "Low", "Operation" : "AlertTriggered", "OrganizationId" : "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "Source" : "Office 365 Security & Compliance", "Workload" : "SecurityComplianceCenter", "Name" : "Elevation of Exchange admin privilege", "AlertType" : "System", "AlertId" : "5ba6e029-8b6e-13bd-b800-08d7b180173c", "RecordType" : 40, "Version" : 1, "UserId" : "SecurityComplianceAlerts", "CreationTime" : "2020-02-14T19:00:00", "Id" : "7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22", "UserType" : 4, "PolicyId" : "17d51759-88e1-40c1-8df3-20bcf2e43057" } +{ "Status" : "Active", "Category" : "ThreatManagement", "ResultStatus" : "Succeeded", "ObjectId" : "12345678-8b6e-13bd-b800-08d7b180173c", "Comments" : "This is a phony threat alert", "UserKey" : "SecurityComplianceAlerts", "AlertLinks" : [], "Data" : "{\"something\":\"blabla\"}", "Severity" : "High", "Operation" : "AlertTriggered", "OrganizationId" : "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "Source" : "Office 365 Security & Compliance", "Workload" : "SecurityComplianceCenter", "Name" : "Phony Malware Alert", "AlertType" : "System", "AlertId" : "1233344-8b6e-13bd-b800-08d7b180173c", "RecordType" : 40, "Version" : 1, "UserId" : "SecurityComplianceAlerts", "CreationTime" : "2020-02-14T19:00:00", "Id" : "7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22", "UserType" : 4, "PolicyId" : "17d51759-88e1-40c1-8df3-20bcf2e43057", "AlertEntityId" : "Malware/Evil.Malware.B", "EntityType" : "MalwareFamily"} diff --git a/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log-expected.json b/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log-expected.json new file mode 100644 index 000000000000..beee33417615 --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log-expected.json @@ -0,0 +1,165 @@ +[ + { + "@timestamp": "2020-02-14T19:00:00.000Z", + "event.action": "AlertEntityGenerated", + "event.category": "authentication", + "event.code": "SecurityComplianceAlerts", + "event.dataset": "o365.audit", + "event.id": "448854d7-81f6-4a06-d31a-08d7b1c1fb2f", + "event.kind": "alert", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SecurityComplianceCenter", + "event.severity": 2, + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 0, + "message": "New alert", + "o365.audit.AlertEntityId": "asr@testsiem.onmicrosoft.com", + "o365.audit.AlertId": "5ba6e029-8b6e-13bd-b800-08d7b180173c", + "o365.audit.AlertLinks": [ + "http://example.net/alert", + "http://example.net/info" + ], + "o365.audit.AlertType": "System", + "o365.audit.Category": "AccessGovernance", + "o365.audit.Comments": "New alert", + "o365.audit.CreationTime": "2020-02-14T19:00:00", + "o365.audit.Data": "{\"etype\":\"User\",\"eid\":\"asr@testsiem.onmicrosoft.com\",\"tid\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ts\":\"2020-02-14T18:54:45.0000000Z\",\"te\":\"2020-02-14T18:54:45.0000000Z\",\"op\":\"GrantAdminPermission\",\"tdc\":\"1\",\"suid\":\"asr@testsiem.onmicrosoft.com\",\"ut\":\"Admin\",\"lon\":\"GrantAdminPermission\"}", + "o365.audit.EntityType": "User", + "o365.audit.Id": "448854d7-81f6-4a06-d31a-08d7b1c1fb2f", + "o365.audit.Name": "Elevation of Exchange admin privilege", + "o365.audit.ObjectId": "asr@testsiem.onmicrosoft.com", + "o365.audit.Operation": "AlertEntityGenerated", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.PolicyId": "17d51759-88e1-40c1-8df3-20bcf2e43057", + "o365.audit.RecordType": 40, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.Severity": "Low", + "o365.audit.Source": "Office 365 Security & Compliance", + "o365.audit.Status": "Active", + "o365.audit.UserId": "SecurityComplianceAlerts", + "o365.audit.UserKey": "SecurityComplianceAlerts", + "o365.audit.UserType": 4, + "o365.audit.Version": 1, + "o365.audit.Workload": "SecurityComplianceCenter", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "related.user": "asr", + "rule.category": "AccessGovernance", + "rule.description": "asr@testsiem.onmicrosoft.com", + "rule.id": "17d51759-88e1-40c1-8df3-20bcf2e43057", + "rule.name": "Elevation of Exchange admin privilege", + "rule.reference": [ + "http://example.net/alert", + "http://example.net/info" + ], + "rule.ruleset": "User", + "service.type": "o365", + "user.domain": "testsiem.onmicrosoft.com", + "user.id": "asr@testsiem.onmicrosoft.com", + "user.name": "asr" + }, + { + "@timestamp": "2020-02-14T19:00:00.000Z", + "event.action": "AlertTriggered", + "event.category": "authentication", + "event.code": "SecurityComplianceAlerts", + "event.dataset": "o365.audit", + "event.id": "7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22", + "event.kind": "alert", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SecurityComplianceCenter", + "event.severity": 2, + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 1285, + "message": "New alert", + "o365.audit.AlertId": "5ba6e029-8b6e-13bd-b800-08d7b180173c", + "o365.audit.AlertLinks": "http://example.net/single", + "o365.audit.AlertType": "System", + "o365.audit.Category": "AccessGovernance", + "o365.audit.Comments": "New alert", + "o365.audit.CreationTime": "2020-02-14T19:00:00", + "o365.audit.Data": "{\"f3u\":\"asr@testsiem.onmicrosoft.com\",\"ts\":\"2020-02-14T18:45:00.0000000Z\",\"te\":\"2020-02-14T19:00:00.0000000Z\",\"op\":\"GrantAdminPermission\",\"wl\":\"Exchange\",\"tid\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"tdc\":\"1\",\"reid\":\"23a5e271-e297-4f35-ff57-08d7b17f5bf2\",\"rid\":\"f81f1b69-dc60-4ded-918e-e17d5c73b29f\",\"cid\":\"17d51759-88e1-40c1-8df3-20bcf2e43057\",\"ad\":\"This alert is triggered when someone in your organization becomes an Exchange admin or gets new Exchange admin permissions -V1.0.0.1\",\"lon\":\"GrantAdminPermission\",\"an\":\"Elevation of Exchange admin privilege\",\"sev\":\"Low\"}", + "o365.audit.Id": "7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22", + "o365.audit.Name": "Elevation of Exchange admin privilege", + "o365.audit.ObjectId": "5ba6e029-8b6e-13bd-b800-08d7b180173c", + "o365.audit.Operation": "AlertTriggered", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.PolicyId": "17d51759-88e1-40c1-8df3-20bcf2e43057", + "o365.audit.RecordType": 40, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.Severity": "Low", + "o365.audit.Source": "Office 365 Security & Compliance", + "o365.audit.Status": "Active", + "o365.audit.UserId": "SecurityComplianceAlerts", + "o365.audit.UserKey": "SecurityComplianceAlerts", + "o365.audit.UserType": 4, + "o365.audit.Version": 1, + "o365.audit.Workload": "SecurityComplianceCenter", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "rule.category": "AccessGovernance", + "rule.id": "17d51759-88e1-40c1-8df3-20bcf2e43057", + "rule.name": "Elevation of Exchange admin privilege", + "rule.reference": "http://example.net/single", + "service.type": "o365", + "user.id": "SecurityComplianceAlerts" + }, + { + "@timestamp": "2020-02-14T19:00:00.000Z", + "event.action": "AlertTriggered", + "event.category": "malware", + "event.code": "SecurityComplianceAlerts", + "event.dataset": "o365.audit", + "event.id": "7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22", + "event.kind": "alert", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SecurityComplianceCenter", + "event.severity": 4, + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 2755, + "message": "This is a phony threat alert", + "o365.audit.AlertEntityId": "Malware/Evil.Malware.B", + "o365.audit.AlertId": "1233344-8b6e-13bd-b800-08d7b180173c", + "o365.audit.AlertType": "System", + "o365.audit.Category": "ThreatManagement", + "o365.audit.Comments": "This is a phony threat alert", + "o365.audit.CreationTime": "2020-02-14T19:00:00", + "o365.audit.Data": "{\"something\":\"blabla\"}", + "o365.audit.EntityType": "MalwareFamily", + "o365.audit.Id": "7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22", + "o365.audit.Name": "Phony Malware Alert", + "o365.audit.ObjectId": "12345678-8b6e-13bd-b800-08d7b180173c", + "o365.audit.Operation": "AlertTriggered", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.PolicyId": "17d51759-88e1-40c1-8df3-20bcf2e43057", + "o365.audit.RecordType": 40, + "o365.audit.ResultStatus": "Succeeded", + "o365.audit.Severity": "High", + "o365.audit.Source": "Office 365 Security & Compliance", + "o365.audit.Status": "Active", + "o365.audit.UserId": "SecurityComplianceAlerts", + "o365.audit.UserKey": "SecurityComplianceAlerts", + "o365.audit.UserType": 4, + "o365.audit.Version": 1, + "o365.audit.Workload": "SecurityComplianceCenter", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "rule.category": "ThreatManagement", + "rule.description": "Malware/Evil.Malware.B", + "rule.id": "17d51759-88e1-40c1-8df3-20bcf2e43057", + "rule.name": "Phony Malware Alert", + "rule.ruleset": "MalwareFamily", + "service.type": "o365", + "threat.technique.id": "Malware/Evil.Malware.B", + "user.id": "SecurityComplianceAlerts" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/audit/test/52-data-insights-api.log b/x-pack/filebeat/module/o365/audit/test/52-data-insights-api.log new file mode 100644 index 000000000000..c1e20b772c4b --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/52-data-insights-api.log @@ -0,0 +1,9 @@ +{"Workload": "SecurityComplianceCenter", "DataType": "DataInsightsSubscription", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:38", "UserId": "Service Account", "UserType": 5, "Version": 1, "UserKey": "Service Account", "Operation": "SearchDataInsightsSubscription", "Id": "20a7bbcf-8e64-4e60-b075-08d7ae3bcea0", "RecordType": 52} +{"Workload": "SecurityComplianceCenter", "DataType": "DataInsightsSubscription", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:38", "UserId": "Service Account", "UserType": 5, "Version": 1, "UserKey": "Service Account", "Operation": "SearchDataInsightsSubscription", "Id": "0ff67168-de8c-45fb-3f7d-08d7b003ebdc", "RecordType": 52} +{"Workload": "SecurityComplianceCenter", "RecordType": 52, "DataType": "DataInsightsSubscription", "CreationTime": "2020-02-10T15:13:38", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "Service Account", "UserType": 5, "Version": 1, "UserKey": "Service Account", "Operation": "SearchDataInsightsSubscription", "Id": "20a7bbcf-8e64-4e60-b075-08d7ae3bcea0"} +{"Workload": "SecurityComplianceCenter", "RecordType": 52, "DataType": "DataInsightsSubscription", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:53:26", "UserId": "Service Account", "UserType": 5, "Version": 1, "UserKey": "Service Account", "Operation": "SearchDataInsightsSubscription", "Id": "3b492d08-23a8-4e65-75ea-08d7afa9c9a2"} +{"Workload": "SecurityComplianceCenter", "RecordType": 52, "DataType": "DataInsightsSubscription", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:38", "UserId": "Service Account", "UserType": 5, "Version": 1, "UserKey": "Service Account", "Operation": "SearchDataInsightsSubscription", "Id": "0ff67168-de8c-45fb-3f7d-08d7b003ebdc"} +{"Workload": "SecurityComplianceCenter", "RecordType": 52, "UserType": 5, "DataType": "DataInsightsSubscription", "CreationTime": "2020-02-12T10:53:26", "UserId": "Service Account", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "Version": 1, "UserKey": "Service Account", "Operation": "SearchDataInsightsSubscription", "Id": "3b492d08-23a8-4e65-75ea-08d7afa9c9a2"} +{"Workload": "SecurityComplianceCenter", "RecordType": 52, "UserType": 5, "DataType": "DataInsightsSubscription", "UserId": "Service Account", "CreationTime": "2020-02-10T15:13:38", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "Version": 1, "UserKey": "Service Account", "Operation": "SearchDataInsightsSubscription", "Id": "20a7bbcf-8e64-4e60-b075-08d7ae3bcea0"} +{"Workload": "SecurityComplianceCenter", "RecordType": 52, "UserType": 5, "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:53:26", "UserId": "Service Account", "DataType": "DataInsightsSubscription", "Version": 1, "UserKey": "Service Account", "Operation": "SearchDataInsightsSubscription", "Id": "3b492d08-23a8-4e65-75ea-08d7afa9c9a2"} +{"Workload": "SecurityComplianceCenter", "RecordType": 52, "UserType": 5, "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "Service Account", "CreationTime": "2020-02-12T21:38:38", "DataType": "DataInsightsSubscription", "Version": 1, "UserKey": "Service Account", "Operation": "SearchDataInsightsSubscription", "Id": "0ff67168-de8c-45fb-3f7d-08d7b003ebdc"} diff --git a/x-pack/filebeat/module/o365/audit/test/52-data-insights-api.log-expected.json b/x-pack/filebeat/module/o365/audit/test/52-data-insights-api.log-expected.json new file mode 100644 index 000000000000..3ea637aee91a --- /dev/null +++ b/x-pack/filebeat/module/o365/audit/test/52-data-insights-api.log-expected.json @@ -0,0 +1,281 @@ +[ + { + "@timestamp": "2020-02-10T15:13:38.000Z", + "event.action": "SearchDataInsightsSubscription", + "event.category": "web", + "event.code": "DataInsightsRestApiAudit", + "event.dataset": "o365.audit", + "event.id": "20a7bbcf-8e64-4e60-b075-08d7ae3bcea0", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SecurityComplianceCenter", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 0, + "o365.audit.CreationTime": "2020-02-10T15:13:38", + "o365.audit.DataType": "DataInsightsSubscription", + "o365.audit.Id": "20a7bbcf-8e64-4e60-b075-08d7ae3bcea0", + "o365.audit.Operation": "SearchDataInsightsSubscription", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 52, + "o365.audit.UserId": "Service Account", + "o365.audit.UserKey": "Service Account", + "o365.audit.UserType": 5, + "o365.audit.Version": 1, + "o365.audit.Workload": "SecurityComplianceCenter", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "service.type": "o365", + "user.id": "Service Account" + }, + { + "@timestamp": "2020-02-12T21:38:38.000Z", + "event.action": "SearchDataInsightsSubscription", + "event.category": "web", + "event.code": "DataInsightsRestApiAudit", + "event.dataset": "o365.audit", + "event.id": "0ff67168-de8c-45fb-3f7d-08d7b003ebdc", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SecurityComplianceCenter", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 377, + "o365.audit.CreationTime": "2020-02-12T21:38:38", + "o365.audit.DataType": "DataInsightsSubscription", + "o365.audit.Id": "0ff67168-de8c-45fb-3f7d-08d7b003ebdc", + "o365.audit.Operation": "SearchDataInsightsSubscription", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 52, + "o365.audit.UserId": "Service Account", + "o365.audit.UserKey": "Service Account", + "o365.audit.UserType": 5, + "o365.audit.Version": 1, + "o365.audit.Workload": "SecurityComplianceCenter", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "service.type": "o365", + "user.id": "Service Account" + }, + { + "@timestamp": "2020-02-10T15:13:38.000Z", + "event.action": "SearchDataInsightsSubscription", + "event.category": "web", + "event.code": "DataInsightsRestApiAudit", + "event.dataset": "o365.audit", + "event.id": "20a7bbcf-8e64-4e60-b075-08d7ae3bcea0", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SecurityComplianceCenter", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 754, + "o365.audit.CreationTime": "2020-02-10T15:13:38", + "o365.audit.DataType": "DataInsightsSubscription", + "o365.audit.Id": "20a7bbcf-8e64-4e60-b075-08d7ae3bcea0", + "o365.audit.Operation": "SearchDataInsightsSubscription", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 52, + "o365.audit.UserId": "Service Account", + "o365.audit.UserKey": "Service Account", + "o365.audit.UserType": 5, + "o365.audit.Version": 1, + "o365.audit.Workload": "SecurityComplianceCenter", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "service.type": "o365", + "user.id": "Service Account" + }, + { + "@timestamp": "2020-02-12T10:53:26.000Z", + "event.action": "SearchDataInsightsSubscription", + "event.category": "web", + "event.code": "DataInsightsRestApiAudit", + "event.dataset": "o365.audit", + "event.id": "3b492d08-23a8-4e65-75ea-08d7afa9c9a2", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SecurityComplianceCenter", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 1131, + "o365.audit.CreationTime": "2020-02-12T10:53:26", + "o365.audit.DataType": "DataInsightsSubscription", + "o365.audit.Id": "3b492d08-23a8-4e65-75ea-08d7afa9c9a2", + "o365.audit.Operation": "SearchDataInsightsSubscription", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 52, + "o365.audit.UserId": "Service Account", + "o365.audit.UserKey": "Service Account", + "o365.audit.UserType": 5, + "o365.audit.Version": 1, + "o365.audit.Workload": "SecurityComplianceCenter", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "service.type": "o365", + "user.id": "Service Account" + }, + { + "@timestamp": "2020-02-12T21:38:38.000Z", + "event.action": "SearchDataInsightsSubscription", + "event.category": "web", + "event.code": "DataInsightsRestApiAudit", + "event.dataset": "o365.audit", + "event.id": "0ff67168-de8c-45fb-3f7d-08d7b003ebdc", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SecurityComplianceCenter", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 1508, + "o365.audit.CreationTime": "2020-02-12T21:38:38", + "o365.audit.DataType": "DataInsightsSubscription", + "o365.audit.Id": "0ff67168-de8c-45fb-3f7d-08d7b003ebdc", + "o365.audit.Operation": "SearchDataInsightsSubscription", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 52, + "o365.audit.UserId": "Service Account", + "o365.audit.UserKey": "Service Account", + "o365.audit.UserType": 5, + "o365.audit.Version": 1, + "o365.audit.Workload": "SecurityComplianceCenter", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "service.type": "o365", + "user.id": "Service Account" + }, + { + "@timestamp": "2020-02-12T10:53:26.000Z", + "event.action": "SearchDataInsightsSubscription", + "event.category": "web", + "event.code": "DataInsightsRestApiAudit", + "event.dataset": "o365.audit", + "event.id": "3b492d08-23a8-4e65-75ea-08d7afa9c9a2", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SecurityComplianceCenter", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 1885, + "o365.audit.CreationTime": "2020-02-12T10:53:26", + "o365.audit.DataType": "DataInsightsSubscription", + "o365.audit.Id": "3b492d08-23a8-4e65-75ea-08d7afa9c9a2", + "o365.audit.Operation": "SearchDataInsightsSubscription", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 52, + "o365.audit.UserId": "Service Account", + "o365.audit.UserKey": "Service Account", + "o365.audit.UserType": 5, + "o365.audit.Version": 1, + "o365.audit.Workload": "SecurityComplianceCenter", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "service.type": "o365", + "user.id": "Service Account" + }, + { + "@timestamp": "2020-02-10T15:13:38.000Z", + "event.action": "SearchDataInsightsSubscription", + "event.category": "web", + "event.code": "DataInsightsRestApiAudit", + "event.dataset": "o365.audit", + "event.id": "20a7bbcf-8e64-4e60-b075-08d7ae3bcea0", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SecurityComplianceCenter", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 2262, + "o365.audit.CreationTime": "2020-02-10T15:13:38", + "o365.audit.DataType": "DataInsightsSubscription", + "o365.audit.Id": "20a7bbcf-8e64-4e60-b075-08d7ae3bcea0", + "o365.audit.Operation": "SearchDataInsightsSubscription", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 52, + "o365.audit.UserId": "Service Account", + "o365.audit.UserKey": "Service Account", + "o365.audit.UserType": 5, + "o365.audit.Version": 1, + "o365.audit.Workload": "SecurityComplianceCenter", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "service.type": "o365", + "user.id": "Service Account" + }, + { + "@timestamp": "2020-02-12T10:53:26.000Z", + "event.action": "SearchDataInsightsSubscription", + "event.category": "web", + "event.code": "DataInsightsRestApiAudit", + "event.dataset": "o365.audit", + "event.id": "3b492d08-23a8-4e65-75ea-08d7afa9c9a2", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SecurityComplianceCenter", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 2639, + "o365.audit.CreationTime": "2020-02-12T10:53:26", + "o365.audit.DataType": "DataInsightsSubscription", + "o365.audit.Id": "3b492d08-23a8-4e65-75ea-08d7afa9c9a2", + "o365.audit.Operation": "SearchDataInsightsSubscription", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 52, + "o365.audit.UserId": "Service Account", + "o365.audit.UserKey": "Service Account", + "o365.audit.UserType": 5, + "o365.audit.Version": 1, + "o365.audit.Workload": "SecurityComplianceCenter", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "service.type": "o365", + "user.id": "Service Account" + }, + { + "@timestamp": "2020-02-12T21:38:38.000Z", + "event.action": "SearchDataInsightsSubscription", + "event.category": "web", + "event.code": "DataInsightsRestApiAudit", + "event.dataset": "o365.audit", + "event.id": "0ff67168-de8c-45fb-3f7d-08d7b003ebdc", + "event.kind": "event", + "event.module": "o365", + "event.outcome": "success", + "event.provider": "SecurityComplianceCenter", + "event.type": "info", + "fileset.name": "audit", + "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "input.type": "log", + "log.offset": 3016, + "o365.audit.CreationTime": "2020-02-12T21:38:38", + "o365.audit.DataType": "DataInsightsSubscription", + "o365.audit.Id": "0ff67168-de8c-45fb-3f7d-08d7b003ebdc", + "o365.audit.Operation": "SearchDataInsightsSubscription", + "o365.audit.OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "o365.audit.RecordType": 52, + "o365.audit.UserId": "Service Account", + "o365.audit.UserKey": "Service Account", + "o365.audit.UserType": 5, + "o365.audit.Version": 1, + "o365.audit.Workload": "SecurityComplianceCenter", + "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "service.type": "o365", + "user.id": "Service Account" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/fields.go b/x-pack/filebeat/module/o365/fields.go new file mode 100644 index 000000000000..c371afd8dd9d --- /dev/null +++ b/x-pack/filebeat/module/o365/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package o365 + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "o365", asset.ModuleFieldsPri, AssetO365); err != nil { + panic(err) + } +} + +// AssetO365 returns asset data. +// This is the base64 encoded gzipped contents of module/o365. +func AssetO365() string { + return "eJzUmcFu40YMhu95ijkX2FyK9uBDAcP2LozGsRE5XfRUTCRaYT2aUTmUE+3TFzPqNrHitNn8vqyPnvATSZH/kM4Hs6d+YsKPP/90YYyyOpqY9W7HJZnhu4piKdwqBz8xv1wYY8wqVJ0jswti7q2vHPvauFBHs5PQPLO+vDBmx+SqOMl2w+eD8bah4ZmXtqtYnx0ao31LE1NL6Nqj7yva2c7pHxk4MTvrIo3+4IWjT5+P2Y2xg2Zlva2pIa9mulma7E0O5fLI/mUQT2FMSw0yetoQgxWx/ejkFOmJtZyPDr6i9tQ/BKn+PX3Fftu39B7CUSyz4JUedVmdDOrtnGU7rSqhGEHObSSBnfndNg3hKEeiC6+sPYyBAVfs96dze1x4rxNOlMu3ONG2UAxt67i0qV3nHFtn+2vbYO585UFufemEpqXygeYslGqnXxzIg8laPJb31te0IrVzq/byh5OscPcnlfrfqJlVqoOMleUbnJk5Jq/g+xsgS78LhQr7GiZtcAIsOLPQpMvgNCGp4ujAB2ni+DJ6hSxCDi7PmVBmbBnplVkXNTS3nv/qCPEmVTJmDXZVlmKQkZobCyQjitBJiSkE5eEltRQgD4tHJV9RtZHQkihTBGHirZuWJdRXn9I4h+k7UqfLJt0NrMW9FcQFX3KVhAZxxQ8ZvQp18FjlZlTRR6Umgi6JHTgQRqkBSm0wBwFgiSk12Cu54ghVR7ZXOoM05/paiLyym7ydASYkIdLYXTAQzMqyuwuPn7ozQNYPnmRlo5JMyzJ0Xs/hWqaeDXS7uQZA1NyRvHsz+MccaMRVqHjHxzcQgMN6ep2fgHTSuiXJMxeAkNp6/gJPf885YFqEa/ZW2dcFyYEAldhYsQ0pVjOb4Ljs56SW3btLd4AgCb6hMkiFSd4Nxc5poVY7YGIqyEdOW2gaB+ekVObiiUtfuq4iIMY8BG0Cez3DMlpQjGBRF3QgYQX22YIVeF/J+lYcAAAn/8H+IzvKs3uEpOYJhgnEwLnJK+sBzA/aCl3bBtEtl3uClHxrpabxCv+9/lY7BHOGH2sHUJrR1nKGPe0FDlPTLVlwqk8EbHIcpvGkm+xrJNUpK9Oa/OkafDMCdeFXAsQ2AbBX+hsJpnGf6Q5JwecgexcsQBj+m3BN+hBk/z+u/B0AAP//cb9ybQ==" +} diff --git a/x-pack/filebeat/module/o365/module.yml b/x-pack/filebeat/module/o365/module.yml new file mode 100644 index 000000000000..2ef22242db88 --- /dev/null +++ b/x-pack/filebeat/module/o365/module.yml @@ -0,0 +1,3 @@ +dashboards: + - id: 712e2c00-685d-11ea-8d6a-292ef5d68366 + file: Filebeat-O365-Audit.json diff --git a/x-pack/filebeat/modules.d/o365.yml.disabled b/x-pack/filebeat/modules.d/o365.yml.disabled new file mode 100644 index 000000000000..b957965fa751 --- /dev/null +++ b/x-pack/filebeat/modules.d/o365.yml.disabled @@ -0,0 +1,48 @@ +# Module: o365 +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-o365.html + +- module: o365 + audit: + enabled: true + + # Set the application_id (also known as client ID): + var.application_id: "" + + # Configure the tenants to monitor: + # Use the tenant ID (also known as directory ID) and the domain name. + # var.tenants: + # - id: "tenant_id_1" + # name: "mydomain.onmicrosoft.com" + # - id: "tenant_id_2" + # name: "mycompany.com" + var.tenants: + - id: "" + name: "mytenant.onmicrosoft.com" + + # List of content-types to fetch. By default all known content-types + # are retrieved: + # var.content_type: + # - "Audit.AzureActiveDirectory" + # - "Audit.Exchange" + # - "Audit.SharePoint" + # - "Audit.General" + # - "DLP.All" + + # Use the following settings to enable certificate-based authentication: + # var.certificate: "/path/to/certificate.pem" + # var.key: "/path/to/private_key.pem" + # var.key_passphrase: "myPrivateKeyPassword" + + # Client-secret based authentication: + # Comment the following line if using certificate authentication. + var.client_secret: "" + + # Advanced settings, use with care: + # var.api: + # # Settings for custom endpoints: + # authentication_endpoint: "https://login.microsoftonline.us/" + # resource: "https://manage.office365.us" + # + # max_retention: 7d + # max_requests_per_minute: 2000 + # poll_interval: 3m