From 034c81122ff3f8c4f8a9d907c7a1ace434e2aa44 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Wed, 9 Jun 2021 14:48:28 +0200 Subject: [PATCH 1/3] updating o365 ECS version and adding event.original options --- .../test-azuread-sts-logon.log-expected.json | 552 +++++++++--- .../test/pipeline/test-azuread.log-config.yml | 7 - .../pipeline/test-azuread.log-expected.json | 800 +++++++++++++----- ....log-config.yml => test-common-config.yml} | 2 + .../test-data-insights-api.log-config.yml | 7 - .../test-data-insights-api.log-expected.json | 90 +- .../pipeline/test-dlp-exchange.log-config.yml | 7 - .../test-dlp-exchange.log-expected.json | 48 +- .../test-dlp-sharepoint.log-config.yml | 7 - .../test-dlp-sharepoint.log-expected.json | 56 +- .../test-exchange-admin.log-config.yml | 7 - .../test-exchange-admin.log-expected.json | 800 +++++++++++++----- .../test-exchange-item.log-config.yml | 7 - .../test-exchange-item.log-expected.json | 72 +- .../pipeline/test-ip-formats.log-config.yml | 7 - .../test-ip-formats.log-expected.json | 166 ++-- .../pipeline/test-ms-teams.log-config.yml | 7 - .../pipeline/test-ms-teams.log-expected.json | 34 +- .../test-sec-comp-alerts.log-config.yml | 7 - .../test-sec-comp-alerts.log-expected.json | 82 +- .../pipeline/test-sharepoint.log-config.yml | 7 - .../test-sharepoint.log-expected.json | 32 +- .../test-sharepointfileop.log-config.yml | 7 - .../test-sharepointfileop.log-expected.json | 88 +- .../test-sp-sharing-op.log-config.yml | 7 - .../test-sp-sharing-op.log-expected.json | 80 +- .../test/pipeline/test-yammer.log-config.yml | 7 - .../pipeline/test-yammer.log-expected.json | 16 +- .../audit/agent/stream/log.yml.hbs | 18 +- .../audit/agent/stream/o365audit.yml.hbs | 13 +- .../elasticsearch/ingest_pipeline/default.yml | 15 +- packages/o365/data_stream/audit/manifest.yml | 34 + 32 files changed, 2223 insertions(+), 866 deletions(-) delete mode 100644 packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread.log-config.yml rename packages/o365/data_stream/audit/_dev/test/pipeline/{test-azuread-sts-logon.log-config.yml => test-common-config.yml} (83%) delete mode 100644 packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api.log-config.yml delete mode 100644 packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange.log-config.yml delete mode 100644 packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint.log-config.yml delete mode 100644 packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin.log-config.yml delete mode 100644 packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item.log-config.yml delete mode 100644 packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats.log-config.yml delete mode 100644 packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams.log-config.yml delete mode 100644 packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts.log-config.yml delete mode 100644 packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint.log-config.yml delete mode 100644 packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop.log-config.yml delete mode 100644 packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op.log-config.yml delete mode 100644 packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer.log-config.yml diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon.log-expected.json index ef8ff735ade..c082cdded02 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon.log-expected.json @@ -22,6 +22,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -74,7 +77,7 @@ }, "@timestamp": "2020-02-10T15:13:13.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -97,7 +100,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834351300Z", + "ingested": "2021-06-09T12:47:50.667038900Z", + "original": "{\"InterSystemsId\": \"03616b3a-fc75-46a1-b34a-2d82fc8f1e7e\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:13\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"c4206c29-46c2-4a6f-a46b-735107705400\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"ca0efc24-1b89-4962-8fef-a3ac5437302f\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -156,6 +160,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -208,7 +215,7 @@ }, "@timestamp": "2020-02-12T10:53:24.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -231,7 +238,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834377800Z", + "ingested": "2021-06-09T12:47:50.667065300Z", + "original": "{\"InterSystemsId\": \"05d69096-cb90-4690-ae69-8acd5177b3e0\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:53:24\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"ed155e11-60b3-4764-b9aa-05c35f3bb800\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"b53de36d-ea71-4ebf-9b71-feb431bd4eba\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -290,6 +298,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -342,7 +353,7 @@ }, "@timestamp": "2020-02-09T15:29:01.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -365,7 +376,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834407200Z", + "ingested": "2021-06-09T12:47:50.667072400Z", + "original": "{\"InterSystemsId\": \"0f5eb16e-8b22-49bf-a927-f6f310fd5879\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:29:01\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"6634d05a-72ec-4c27-8e69-03c57b202000\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"10e2d141-839e-4913-ab3d-6cf1f4856eae\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -424,6 +436,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -476,7 +491,7 @@ }, "@timestamp": "2020-02-12T10:52:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -499,7 +514,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834414100Z", + "ingested": "2021-06-09T12:47:50.667102100Z", + "original": "{\"InterSystemsId\": \"1150acae-a48d-4752-8847-7bacb7fe6e6c\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:52:06\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"1809f830-b010-4389-9607-e01ae175ca00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"68b3fd99-0dae-4479-926d-03cc0073dd08\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -558,6 +574,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -610,7 +629,7 @@ }, "@timestamp": "2020-02-12T10:53:22.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -633,7 +652,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834419700Z", + "ingested": "2021-06-09T12:47:50.667108500Z", + "original": "{\"InterSystemsId\": \"16e81fcc-add3-46c2-8834-10ce330ffe76\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:53:22\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"2a84e6ff-7340-426e-9d0d-e53092c0c600\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"550af372-cdfd-4286-a1b7-d58df0dcd5d6\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -692,6 +712,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -744,7 +767,7 @@ }, "@timestamp": "2020-02-07T16:43:23.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -767,7 +790,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:40.834425900Z", + "ingested": "2021-06-09T12:47:50.667114100Z", + "original": "{\"InterSystemsId\": \"172703f7-324e-415a-a846-c39ca97eb1c8\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:23\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"d66cd29f-596e-4878-b756-92b545d25f00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"b5f59a43-00cf-42c4-8685-a7166fd20e38\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -826,6 +850,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -878,7 +905,7 @@ }, "@timestamp": "2020-02-07T16:43:41.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -901,7 +928,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:40.834431Z", + "ingested": "2021-06-09T12:47:50.667120200Z", + "original": "{\"InterSystemsId\": \"17f8756c-0bfa-49ad-8537-ada4e17a5f7d\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:41\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"1b395e92-5d02-408f-8bfe-139098a95500\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"32e7fb94-6289-4fb4-855b-2ab78671ca4e\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -960,6 +988,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -1012,7 +1043,7 @@ }, "@timestamp": "2020-02-07T16:43:22.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1035,7 +1066,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:40.834436400Z", + "ingested": "2021-06-09T12:47:50.667125600Z", + "original": "{\"InterSystemsId\": \"22aac168-9d0d-4c70-b94d-adc337ab7b06\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:22\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"280b3410-9d51-4ce3-952d-5bba18ea6600\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"7314a65a-f383-40fb-a0c7-00c6c4cfabc0\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -1094,6 +1126,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -1146,7 +1181,7 @@ }, "@timestamp": "2020-02-12T10:52:05.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1169,7 +1204,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834441500Z", + "ingested": "2021-06-09T12:47:50.667130600Z", + "original": "{\"InterSystemsId\": \"23321532-a321-4c97-909d-9489979777d6\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:52:05\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"1909acba-a486-4ffc-805c-09fb73c0bf00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"97b494ee-9ba1-4444-b052-3459bdc9eaa5\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -1228,6 +1264,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -1280,7 +1319,7 @@ }, "@timestamp": "2020-02-07T16:43:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1303,7 +1342,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:40.834446300Z", + "ingested": "2021-06-09T12:47:50.667135400Z", + "original": "{\"InterSystemsId\": \"291fb7ce-4e56-47fd-a78e-4e9012f112ab\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:45\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"5e3ce6c0-2b1f-4285-8d4b-75ee78787346\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"9d47f3e0-1b2d-4c1c-b47b-dcf4bc4d5700\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"391870e6-1729-40ae-9ebb-51e0652fec9b\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -1362,6 +1402,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -1414,7 +1457,7 @@ }, "@timestamp": "2020-02-12T10:51:49.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1437,7 +1480,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834452200Z", + "ingested": "2021-06-09T12:47:50.667141300Z", + "original": "{\"InterSystemsId\": \"30e5377b-31d8-42c2-8170-13404afacde7\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:51:49\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"00000002-0000-0ff1-ce00-000000000000\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0ff1-ce00-000000000000\"}], \"ObjectId\": \"00000002-0000-0ff1-ce00-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"8971516f-3ef3-4de0-b6b8-ebfae386bc00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"a7538fb0-3213-41dc-ab38-1aed787e0cdc\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -1496,6 +1540,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -1548,7 +1595,7 @@ }, "@timestamp": "2020-02-09T15:29:02.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1571,7 +1618,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834457300Z", + "ingested": "2021-06-09T12:47:50.667146500Z", + "original": "{\"InterSystemsId\": \"32e2f533-40fb-4783-8c66-d1bad7e1cc88\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:29:02\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"74ab94ce-8928-4aff-8fa2-a66ad6d41f00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"e2a15fc0-6892-41f5-a41c-e515231cbb0a\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -1630,6 +1678,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -1682,7 +1733,7 @@ }, "@timestamp": "2020-02-10T15:13:08.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1705,7 +1756,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834462400Z", + "ingested": "2021-06-09T12:47:50.667151400Z", + "original": "{\"InterSystemsId\": \"3c5d16f4-16a6-45f4-a53d-abb86e35005b\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:08\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"f67a1615-4606-4673-b6fb-68f716345800\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"e11538ff-5fe1-4fdd-8c5d-219d85c47bb3\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -1764,6 +1816,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -1816,7 +1871,7 @@ }, "@timestamp": "2020-02-07T16:43:27.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1839,7 +1894,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:40.834486200Z", + "ingested": "2021-06-09T12:47:50.667156300Z", + "original": "{\"InterSystemsId\": \"40077a75-7b58-4623-a64a-f1b7de70fa54\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:27\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"00000002-0000-0ff1-ce00-000000000000\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0ff1-ce00-000000000000\"}], \"ObjectId\": \"00000002-0000-0ff1-ce00-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"4d1bd763-9b0b-4d5a-bda9-5c7a0a0a6000\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"e031670b-bb84-45ee-94ff-0e70a8cd1138\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -1895,6 +1951,9 @@ }, "ip": "37.29.234.179" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -1947,7 +2006,7 @@ }, "@timestamp": "2020-02-08T14:33:54.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1970,7 +2029,8 @@ "ip": "37.29.234.179" }, "event": { - "ingested": "2021-06-02T06:59:40.834494300Z", + "ingested": "2021-06-09T12:47:50.667161Z", + "original": "{\"InterSystemsId\": \"425503c9-ccbf-4674-8f1e-4d56510474fd\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-08T14:33:54\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"37.29.234.179\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"37.29.234.179\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"57ef1056-6ce2-424a-b241-ce3939d00900\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"d39944c4-6766-4a89-8d5a-c789175830ee\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -2029,6 +2089,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -2081,7 +2144,7 @@ }, "@timestamp": "2020-02-10T15:13:12.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2104,7 +2167,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834507300Z", + "ingested": "2021-06-09T12:47:50.667165800Z", + "original": "{\"InterSystemsId\": \"4409eeeb-0ca5-42dd-99d9-4a6b2fabfa4f\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:12\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"0c8fcffc-a810-4a85-b8e2-3a2fda925c00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"6f2b7716-1acc-450d-ae13-afad7e02d07e\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -2163,6 +2227,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -2215,7 +2282,7 @@ }, "@timestamp": "2020-02-12T21:38:35.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2238,7 +2305,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834513100Z", + "ingested": "2021-06-09T12:47:50.667170800Z", + "original": "{\"InterSystemsId\": \"4542ce7e-270b-435e-8f81-ee23ea74be75\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:35\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"9718abaa-220e-49c5-8c9b-588d32b8db00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"47f3c440-3fb7-4b5e-9c20-455470b289d2\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -2294,6 +2362,9 @@ }, "ip": "37.29.234.179" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -2346,7 +2417,7 @@ }, "@timestamp": "2020-02-08T14:38:40.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2369,7 +2440,8 @@ "ip": "37.29.234.179" }, "event": { - "ingested": "2021-06-02T06:59:40.834518400Z", + "ingested": "2021-06-09T12:47:50.667175400Z", + "original": "{\"InterSystemsId\": \"4836e306-1460-4f34-ab55-a74c9a14f50d\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-08T14:38:40\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"37.29.234.179\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"37.29.234.179\", \"ApplicationId\": \"80ccca67-54bd-44ab-8625-4b79c4dc7775\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"2fde8302-c39e-40b6-9c7f-1bb9d4800a00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"5a3435d0-229a-41c8-bd21-b4f2b662d0f6\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -2428,6 +2500,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -2480,7 +2555,7 @@ }, "@timestamp": "2020-02-10T15:13:16.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2503,7 +2578,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834523700Z", + "ingested": "2021-06-09T12:47:50.667180Z", + "original": "{\"InterSystemsId\": \"4a50a549-adf3-4a22-9037-7fd8cd3d0116\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:16\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"1d856a16-b179-41ab-9c0d-af1d2b925100\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"5aff2d1c-b203-46a6-96f0-b8f908f0e968\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -2562,6 +2638,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -2614,7 +2693,7 @@ }, "@timestamp": "2020-02-10T15:13:16.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2637,7 +2716,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834529300Z", + "ingested": "2021-06-09T12:47:50.667185100Z", + "original": "{\"InterSystemsId\": \"4e44a55e-9c0d-4cea-b000-1b79e96dcf57\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:16\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"fc33c54e-38b9-4ef2-a4ee-a3a324a45500\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"3d8033cf-eecd-4eee-87a5-795efd8a1d3d\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -2696,6 +2776,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -2748,7 +2831,7 @@ }, "@timestamp": "2020-02-12T21:38:25.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2771,7 +2854,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834534500Z", + "ingested": "2021-06-09T12:47:50.667190Z", + "original": "{\"InterSystemsId\": \"4e91c3e1-819e-4ebc-ae68-2037cfc2db92\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:25\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"a063e495-5883-4837-8186-5828f9f2d500\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"8bd0a250-74f6-4eeb-ba20-c5bdbd977013\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -2830,6 +2914,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -2882,7 +2969,7 @@ }, "@timestamp": "2020-02-07T16:44:04.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2905,7 +2992,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:40.834539100Z", + "ingested": "2021-06-09T12:47:50.667195400Z", + "original": "{\"InterSystemsId\": \"50d648cb-466d-4cf4-b2f8-3b7e84f47040\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:04\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"08e18876-6177-487e-b8b5-cf950c1e598c\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0ff1-ce00-000000000000\"}], \"ObjectId\": \"00000003-0000-0ff1-ce00-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"64613cae-510d-4a52-b486-070b775e5800\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"a6fc9a9b-3b7e-4d33-8c0c-1d33d023e558\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -2964,6 +3052,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -3016,7 +3107,7 @@ }, "@timestamp": "2020-02-12T10:51:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -3039,7 +3130,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834543400Z", + "ingested": "2021-06-09T12:47:50.667444600Z", + "original": "{\"InterSystemsId\": \"5a453031-0cc3-4577-a589-4c3bf37eed78\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:51:45\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"814a32f0-27fd-4e82-855c-13da15a4c300\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"19d57a4a-d32e-4dc6-971f-3491bc440023\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -3098,6 +3190,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -3150,7 +3245,7 @@ }, "@timestamp": "2020-02-10T15:13:01.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -3173,7 +3268,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834548600Z", + "ingested": "2021-06-09T12:47:50.667464700Z", + "original": "{\"InterSystemsId\": \"5cd6215d-e206-4c3f-805d-6e386cbdab7a\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:01\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"9c218a27-ed51-4011-8383-e76850e85000\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"0b158f74-e223-43c8-9cfd-5f4442f29fc7\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -3232,6 +3328,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -3284,7 +3383,7 @@ }, "@timestamp": "2020-02-07T16:43:51.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -3307,7 +3406,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:40.834552800Z", + "ingested": "2021-06-09T12:47:50.667473600Z", + "original": "{\"InterSystemsId\": \"612b339f-1088-a000-f25f-9c8af4d57894\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:51\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"00000003-0000-0ff1-ce00-000000000000\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0ff1-ce00-000000000000\"}], \"ObjectId\": \"00000003-0000-0ff1-ce00-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"c847a864-4ba2-4d8b-a9f2-5f1c1c5c5e00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"4819a0c2-2050-4549-ab66-f5b90cbbcc5a\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -3366,6 +3466,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -3418,7 +3521,7 @@ }, "@timestamp": "2020-02-12T21:38:29.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -3441,7 +3544,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834557200Z", + "ingested": "2021-06-09T12:47:50.667480200Z", + "original": "{\"InterSystemsId\": \"61eb5713-2687-4c00-a7b2-fde4788c395b\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:29\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"80ccca67-54bd-44ab-8625-4b79c4dc7775\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"3db9a461-6dd1-4950-b3e3-fbe8c2d5c700\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"e94002d9-f6e8-46f9-8702-2a29e908e73d\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -3500,6 +3604,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -3552,7 +3659,7 @@ }, "@timestamp": "2020-02-12T21:38:37.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -3575,7 +3682,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834576300Z", + "ingested": "2021-06-09T12:47:50.667486700Z", + "original": "{\"InterSystemsId\": \"61f81224-65fd-4c1b-b388-ee0e25485191\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:37\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"dc0cc415-9a00-470d-bda3-867e11fdd400\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"1ca4f684-3a34-44a8-99b8-064d1071768a\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -3634,6 +3742,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -3686,7 +3797,7 @@ }, "@timestamp": "2020-02-12T10:51:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -3709,7 +3820,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834582700Z", + "ingested": "2021-06-09T12:47:50.667493900Z", + "original": "{\"InterSystemsId\": \"661f2330-3e04-483d-9781-caaa4543cc13\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:51:50\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"01c15486-46e2-487a-91f5-11445da0b600\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"3f6c8eb2-c64b-4dc5-b8fd-be252f8e09c2\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -3768,6 +3880,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -3820,7 +3935,7 @@ }, "@timestamp": "2020-02-10T15:13:42.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -3843,7 +3958,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834587900Z", + "ingested": "2021-06-09T12:47:50.667499900Z", + "original": "{\"InterSystemsId\": \"68d7eaa4-aa57-4508-9792-09e80c911aa1\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:42\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"0f698dd4-f011-4d23-a33e-b36416dcb1e6\"}], \"ObjectId\": \"0f698dd4-f011-4d23-a33e-b36416dcb1e6\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"1590b91f-bffe-4cd8-9028-de52692f5400\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"b290b902-b6f2-49f6-b7f8-ea1541d85c8c\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -3902,6 +4018,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -3953,7 +4072,7 @@ }, "@timestamp": "2020-02-07T16:42:59.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -3976,7 +4095,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:40.834593700Z", + "ingested": "2021-06-09T12:47:50.667505900Z", + "original": "{\"InterSystemsId\": \"6ae96167-2df2-425c-9f91-27e6345eb782\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:42:59\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"LogonError\": \"FlowTokenExpired\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"f54da4fe-0a54-45f3-b6ea-39f873eb6000\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"RequestType\", \"Value\": \"Login:login\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"b0c1c4a7-c6db-4f14-b628-54e37a7a6785\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -4035,6 +4155,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -4088,7 +4211,7 @@ }, "@timestamp": "2020-02-07T16:43:02.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -4111,7 +4234,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:40.834598Z", + "ingested": "2021-06-09T12:47:50.667513100Z", + "original": "{\"InterSystemsId\": \"6ae96167-2df2-425c-9f91-27e6345eb782\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:02\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"LogonError\": \"UserStrongAuthClientAuthNRequiredInterrupt\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Failed\", \"IntraSystemId\": \"7fa5e138-ac87-4063-a278-56c6c6965e00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"FlowTokenScenario\", \"Value\": \"Login\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"1\"}, {\"Name\": \"RequestType\", \"Value\": \"Login:login\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoginFailed\", \"Id\": \"82d834e4-f6f2-476a-902e-e1e9fd6f87d8\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -4170,6 +4294,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -4213,7 +4340,7 @@ }, "@timestamp": "2020-02-12T21:38:19.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4233,7 +4360,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834602Z", + "ingested": "2021-06-09T12:47:50.667519400Z", + "original": "{\"InterSystemsId\": \"6b9a8662-857f-45e4-bbb2-d106d5aab41e\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:19\", \"Actor\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"Unknown\", \"UserType\": 5, \"UserKey\": \"Not Available\", \"ClientIP\": \"79.159.10.151\", \"LogonError\": \"None\", \"ApplicationId\": \"\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"0fee3b91-5e56-45f6-9b3c-792602b1e500\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Logout\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"e5e2c41a-55ea-4681-9d64-78ddd7145bd2\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -4289,6 +4417,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -4341,7 +4472,7 @@ }, "@timestamp": "2020-02-07T16:43:40.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -4364,7 +4495,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:40.834608200Z", + "ingested": "2021-06-09T12:47:50.667525200Z", + "original": "{\"InterSystemsId\": \"6bab76a8-98bd-42e4-b722-a31fe81b030a\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:40\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"c3ebcde8-62f6-4cc4-8e0c-c11c08e76100\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"2a23206a-2f5d-4cb7-aeb8-f285d10e6f80\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -4423,6 +4555,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -4466,7 +4601,7 @@ }, "@timestamp": "2020-02-09T15:30:58.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4486,7 +4621,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834613Z", + "ingested": "2021-06-09T12:47:50.667533800Z", + "original": "{\"InterSystemsId\": \"6fee997e-1b2a-4a95-a8be-ea85642ed652\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:30:58\", \"Actor\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"Unknown\", \"UserType\": 5, \"UserKey\": \"Not Available\", \"ClientIP\": \"83.57.233.151\", \"LogonError\": \"None\", \"ApplicationId\": \"\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"8b270c82-1240-4a0a-ac15-1e1116261400\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Logout\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"c0a0d198-825b-4e39-b868-0a7b0552b209\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -4542,6 +4678,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -4595,7 +4734,7 @@ }, "@timestamp": "2020-02-09T15:31:33.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -4618,7 +4757,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834617500Z", + "ingested": "2021-06-09T12:47:50.667540200Z", + "original": "{\"InterSystemsId\": \"6fee997e-1b2a-4a95-a8be-ea85642ed652\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:31:33\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"LogonError\": \"UserStrongAuthClientAuthNRequiredInterrupt\", \"ApplicationId\": \"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\"}], \"ObjectId\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\", \"ModifiedProperties\": [], \"ResultStatus\": \"Failed\", \"IntraSystemId\": \"b0faaf7a-913e-4a93-8ccc-ecfaa2b42400\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"FlowTokenScenario\", \"Value\": \"Login\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"1\"}, {\"Name\": \"RequestType\", \"Value\": \"Login:login\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoginFailed\", \"Id\": \"52b07191-3887-40fb-a001-f4122b0851d1\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -4677,6 +4817,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -4720,7 +4863,7 @@ }, "@timestamp": "2020-02-10T15:14:25.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4740,7 +4883,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834621600Z", + "ingested": "2021-06-09T12:47:50.667546200Z", + "original": "{\"InterSystemsId\": \"6fee997e-1b2a-4a95-a8be-ea85642ed652\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:14:25\", \"Actor\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"Unknown\", \"UserType\": 5, \"UserKey\": \"Not Available\", \"ClientIP\": \"83.57.233.151\", \"LogonError\": \"None\", \"ApplicationId\": \"\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"d949d6c2-472e-4901-bd70-96cbfe534c00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Logout\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"c62fa78d-daab-494e-a638-8321ebd71b9e\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -4796,6 +4940,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -4849,7 +4996,7 @@ }, "@timestamp": "2020-02-10T15:14:51.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -4872,7 +5019,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834625800Z", + "ingested": "2021-06-09T12:47:50.667552100Z", + "original": "{\"InterSystemsId\": \"6fee997e-1b2a-4a95-a8be-ea85642ed652\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:14:51\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"LogonError\": \"UserStrongAuthClientAuthNRequiredInterrupt\", \"ApplicationId\": \"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\"}], \"ObjectId\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\", \"ModifiedProperties\": [], \"ResultStatus\": \"Failed\", \"IntraSystemId\": \"42c7ec91-1e2f-4505-b728-3a165b244f00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"FlowTokenScenario\", \"Value\": \"Login\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"1\"}, {\"Name\": \"RequestType\", \"Value\": \"Login:login\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoginFailed\", \"Id\": \"73c76212-8120-4e21-a383-c80d8327b606\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -4931,6 +5079,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -4983,7 +5134,7 @@ }, "@timestamp": "2020-02-10T15:29:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -5006,7 +5157,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834629600Z", + "ingested": "2021-06-09T12:47:50.667558Z", + "original": "{\"InterSystemsId\": \"6fee997e-1b2a-4a95-a8be-ea85642ed652\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:29:56\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\"}], \"ObjectId\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"8b8e8663-8a8c-4959-a692-e3eece085300\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"29f94716-3717-4671-962e-9c739b764f07\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -5065,6 +5217,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -5117,7 +5272,7 @@ }, "@timestamp": "2020-02-11T16:51:23.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -5140,7 +5295,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834633500Z", + "ingested": "2021-06-09T12:47:50.667563700Z", + "original": "{\"InterSystemsId\": \"6fee997e-1b2a-4a95-a8be-ea85642ed652\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:51:23\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\"}], \"ObjectId\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"361dd87e-3bc9-4f0a-b236-ed7365e28d00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"17d02385-1e30-45b7-949c-4d3dd549a0e7\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -5199,6 +5355,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -5242,7 +5401,7 @@ }, "@timestamp": "2020-02-12T21:39:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -5262,7 +5421,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834637300Z", + "ingested": "2021-06-09T12:47:50.667569700Z", + "original": "{\"InterSystemsId\": \"6fee997e-1b2a-4a95-a8be-ea85642ed652\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:39:45\", \"Actor\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"Unknown\", \"UserType\": 5, \"UserKey\": \"Not Available\", \"ClientIP\": \"79.159.10.151\", \"LogonError\": \"None\", \"ApplicationId\": \"\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"32b4cec1-00eb-44ea-be73-adc82387db00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Logout\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"e3346dd0-ecf6-4676-8765-365c7370b6fe\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -5318,6 +5478,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -5371,7 +5534,7 @@ }, "@timestamp": "2020-02-12T21:40:16.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -5394,7 +5557,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834641100Z", + "ingested": "2021-06-09T12:47:50.667575600Z", + "original": "{\"InterSystemsId\": \"6fee997e-1b2a-4a95-a8be-ea85642ed652\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:40:16\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"LogonError\": \"UserStrongAuthClientAuthNRequiredInterrupt\", \"ApplicationId\": \"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\"}], \"ObjectId\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\", \"ModifiedProperties\": [], \"ResultStatus\": \"Failed\", \"IntraSystemId\": \"a063e495-5883-4837-8186-582817fdd500\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"FlowTokenScenario\", \"Value\": \"Login\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"1\"}, {\"Name\": \"RequestType\", \"Value\": \"Login:login\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoginFailed\", \"Id\": \"a772fd76-847f-4703-90f1-37eb81c9f392\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -5450,6 +5614,9 @@ }, "ip": "37.29.234.179" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -5502,7 +5669,7 @@ }, "@timestamp": "2020-02-08T14:33:52.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -5525,7 +5692,8 @@ "ip": "37.29.234.179" }, "event": { - "ingested": "2021-06-02T06:59:40.834644900Z", + "ingested": "2021-06-09T12:47:50.667581400Z", + "original": "{\"InterSystemsId\": \"7766ac63-ae7f-43e6-868a-a5422a96fd8b\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-08T14:33:52\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"37.29.234.179\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"37.29.234.179\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"adc9d69c-8ae6-41c7-b685-331453060a00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"487e4f43-53db-4d6f-a314-5355746d4853\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -5584,6 +5752,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -5636,7 +5807,7 @@ }, "@timestamp": "2020-02-12T10:53:24.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -5659,7 +5830,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834649100Z", + "ingested": "2021-06-09T12:47:50.667587200Z", + "original": "{\"InterSystemsId\": \"781c1055-e731-48ee-a806-c3f39ba160e3\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:53:24\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"e7fe21ea-ec03-46dd-b272-0a72ebbeac00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"41f6b2dc-4db6-444c-93d9-829a842b87e2\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -5718,6 +5890,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -5770,7 +5945,7 @@ }, "@timestamp": "2020-02-07T16:43:22.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -5793,7 +5968,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:40.834652900Z", + "ingested": "2021-06-09T12:47:50.667592900Z", + "original": "{\"InterSystemsId\": \"82b07417-7b33-4531-952f-d3f719e2356a\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:22\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"00000002-0000-0ff1-ce00-000000000000\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0ff1-ce00-000000000000\"}], \"ObjectId\": \"00000002-0000-0ff1-ce00-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"280b3410-9d51-4ce3-952d-5bba0bea6600\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"ec9fa29b-6201-456d-b228-ca1759e0bf6c\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -5852,6 +6028,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -5895,7 +6074,7 @@ }, "@timestamp": "2020-02-06T09:28:04.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -5915,7 +6094,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834656900Z", + "ingested": "2021-06-09T12:47:50.667598600Z", + "original": "{\"InterSystemsId\": \"8571fe85-eb4a-430d-b468-97900e344923\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-06T09:28:04\", \"Actor\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"Unknown\", \"UserType\": 5, \"UserKey\": \"Not Available\", \"ClientIP\": \"83.57.233.151\", \"LogonError\": \"None\", \"ApplicationId\": \"\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"d239e473-6687-4ff9-ac65-0e3c59961600\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Logout\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"e988fd90-2eff-4ad7-9f02-030a9d73ad6e\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -5971,6 +6151,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -6023,7 +6206,7 @@ }, "@timestamp": "2020-02-12T21:38:35.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -6046,7 +6229,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834660700Z", + "ingested": "2021-06-09T12:47:50.667604400Z", + "original": "{\"InterSystemsId\": \"8d662bc0-0011-424d-a7dc-56bfc5a142b4\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:35\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"00000002-0000-0ff1-ce00-000000000000\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0ff1-ce00-000000000000\"}], \"ObjectId\": \"00000002-0000-0ff1-ce00-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"d0a4e1ed-206d-4602-aaae-406a02c5c300\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"3cbf15a5-84d0-4b0e-ba8e-c3ed43477293\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -6105,6 +6289,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -6157,7 +6344,7 @@ }, "@timestamp": "2020-02-10T15:13:36.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -6180,7 +6367,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834664500Z", + "ingested": "2021-06-09T12:47:50.667610100Z", + "original": "{\"InterSystemsId\": \"9270f20a-56f2-493e-b6a7-a859adcaf626\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:36\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"00000002-0000-0ff1-ce00-000000000000\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0ff1-ce00-000000000000\"}], \"ObjectId\": \"00000002-0000-0ff1-ce00-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"97aa710f-536f-44c8-a8d5-711dc55f5500\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"d2bb7eae-bc6e-42d2-b270-a885ec626235\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -6239,6 +6427,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -6291,7 +6482,7 @@ }, "@timestamp": "2020-02-12T10:51:49.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -6314,7 +6505,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834668300Z", + "ingested": "2021-06-09T12:47:50.667615900Z", + "original": "{\"InterSystemsId\": \"97c52753-c410-438f-89e2-22741e5ccc6a\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:51:49\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"c9ef5d5f-e3af-4669-b465-921d8b58bd00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"03de6d95-b955-451c-8311-473b6853d774\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -6373,6 +6565,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -6425,7 +6620,7 @@ }, "@timestamp": "2020-02-07T16:43:37.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -6448,7 +6643,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:40.834672300Z", + "ingested": "2021-06-09T12:47:50.667621400Z", + "original": "{\"InterSystemsId\": \"9e0a494b-0db0-4481-a70e-eea6124b7018\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:37\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"e48d4214-364e-4731-b2b6-47dabf529218\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000004-0000-0ff1-ce00-000000000000\"}], \"ObjectId\": \"00000004-0000-0ff1-ce00-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"e7a84bcf-41ff-4953-8e99-fb1820685f00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"ac8fcffb-7c44-498d-ad6b-24b85a3a1b59\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -6507,6 +6703,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -6559,7 +6758,7 @@ }, "@timestamp": "2020-02-10T15:13:36.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -6582,7 +6781,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834676300Z", + "ingested": "2021-06-09T12:47:50.667627100Z", + "original": "{\"InterSystemsId\": \"9fc4af4c-bf19-4f88-92ac-0fd029ca21bd\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:36\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"56fa424b-64bd-4ea5-abc4-38256f8a5600\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"880fb7bc-5708-42d1-86a8-760c32ac5e6b\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -6641,6 +6841,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -6693,7 +6896,7 @@ }, "@timestamp": "2020-02-12T21:38:37.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -6716,7 +6919,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834680300Z", + "ingested": "2021-06-09T12:47:50.667632800Z", + "original": "{\"InterSystemsId\": \"a35e980b-88be-4343-9691-629473e01983\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:37\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"78a2aa65-5026-4124-970a-00e06dc7df00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"30c7afcc-f74d-4b5a-898e-ce72da9386b8\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -6775,6 +6979,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -6827,7 +7034,7 @@ }, "@timestamp": "2020-02-06T09:28:00.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -6850,7 +7057,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834684200Z", + "ingested": "2021-06-09T12:47:50.667638600Z", + "original": "{\"InterSystemsId\": \"a89e9b3b-b394-4ecf-8abc-a3f6aaf9237f\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-06T09:28:00\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"bfe22fb6-c763-4972-91a7-5b13d3d51400\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"d4f90f07-f5c4-4b36-a81c-6c9bae8660d6\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -6909,6 +7117,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -6961,7 +7172,7 @@ }, "@timestamp": "2020-02-09T15:28:52.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -6984,7 +7195,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834688100Z", + "ingested": "2021-06-09T12:47:50.667644300Z", + "original": "{\"InterSystemsId\": \"aca3d9a3-792d-4357-87c6-ef50c3215baa\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:28:52\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"f67a1615-4606-4673-b6fb-68f714fa2200\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"d2ad235b-d73f-4bd8-8aef-6e4909ee1b7c\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -7043,6 +7255,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -7095,7 +7310,7 @@ }, "@timestamp": "2020-02-10T15:13:37.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -7118,7 +7333,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834691800Z", + "ingested": "2021-06-09T12:47:50.667650100Z", + "original": "{\"InterSystemsId\": \"ae211253-88cf-4921-9014-2f9beab64fb0\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:37\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"ccfec0f3-498b-43b1-a4c0-fb42f0fb5300\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"8ff18278-32ca-49d1-8658-91e577e0854f\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -7177,6 +7393,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -7229,7 +7448,7 @@ }, "@timestamp": "2020-02-09T15:28:52.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -7252,7 +7471,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834695800Z", + "ingested": "2021-06-09T12:47:50.667655500Z", + "original": "{\"InterSystemsId\": \"b3997fcc-6b0e-45b1-b88d-b4ee4a8a7ddc\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:28:52\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"c1ffa732-6576-4f86-9294-44387abc1f00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"a3939990-f7b4-4dc5-af4d-42b70a9485ea\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -7311,6 +7531,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -7363,7 +7586,7 @@ }, "@timestamp": "2020-02-10T15:13:01.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -7386,7 +7609,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834699600Z", + "ingested": "2021-06-09T12:47:50.667661200Z", + "original": "{\"InterSystemsId\": \"b3ab6d58-7b90-45d6-95e3-ee11333ebc34\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:01\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"d949d6c2-472e-4901-bd70-96cb90424c00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"61ba70f4-bd75-4bc2-a681-2e219d920e63\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -7445,6 +7669,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -7497,7 +7724,7 @@ }, "@timestamp": "2020-02-12T10:53:12.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -7520,7 +7747,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834703100Z", + "ingested": "2021-06-09T12:47:50.667666900Z", + "original": "{\"InterSystemsId\": \"b5c5fd00-b659-413e-8739-6271a4d70506\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:53:12\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"80ccca67-54bd-44ab-8625-4b79c4dc7775\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"fabbe34e-a6dd-46f8-805f-4ca633c2ae00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"3e17bf8e-92de-45b6-b668-7618ab0e0c95\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -7579,6 +7807,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -7631,7 +7862,7 @@ }, "@timestamp": "2020-02-12T10:52:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -7654,7 +7885,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834707Z", + "ingested": "2021-06-09T12:47:50.667672600Z", + "original": "{\"InterSystemsId\": \"b744259e-13e0-43d7-9f56-82cdbd54cf7c\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:52:06\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"ce9f104d-1a1b-488e-9313-b9729e99c400\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"f100d714-ffa2-4077-bf90-2f57a3b366c0\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -7710,6 +7942,9 @@ }, "ip": "37.29.234.179" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -7762,7 +7997,7 @@ }, "@timestamp": "2020-02-08T14:33:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -7785,7 +8020,8 @@ "ip": "37.29.234.179" }, "event": { - "ingested": "2021-06-02T06:59:40.834711900Z", + "ingested": "2021-06-09T12:47:50.667678100Z", + "original": "{\"InterSystemsId\": \"b7d9a234-9fdd-4e36-9cf3-fd825f22697a\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-08T14:33:50\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"37.29.234.179\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"37.29.234.179\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"49092519-a590-4207-b1b3-1d49f9100a00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"4b0f0d57-0766-4621-8aa0-04b8d8b63a78\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -7844,6 +8080,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -7896,7 +8135,7 @@ }, "@timestamp": "2020-02-10T15:13:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -7919,7 +8158,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834716Z", + "ingested": "2021-06-09T12:47:50.667683700Z", + "original": "{\"InterSystemsId\": \"bb677f9e-953a-4bde-bb91-0ef8209200a1\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:38\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"1da3c318-642f-48dc-836b-e83b27655b00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"8d9a1fa8-7b85-4c5d-9e96-5728d572fb95\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -7978,6 +8218,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -8030,7 +8273,7 @@ }, "@timestamp": "2020-02-07T16:44:05.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -8053,7 +8296,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:40.834720100Z", + "ingested": "2021-06-09T12:47:50.667689400Z", + "original": "{\"InterSystemsId\": \"c355f078-53d7-4d60-b836-851a09a98208\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:05\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"20e56367-e902-4200-855b-2ef7b99e5f00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"9756fe5b-ea0d-42fa-a665-be8e0eb100e5\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -8112,6 +8356,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -8164,7 +8411,7 @@ }, "@timestamp": "2020-02-09T15:28:51.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -8187,7 +8434,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834724200Z", + "ingested": "2021-06-09T12:47:50.667695Z", + "original": "{\"InterSystemsId\": \"c5874ff2-7c53-4d51-9252-7abbf0524b1c\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:28:51\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"3188aef9-6b4e-44f2-8455-c28b49552200\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"abbf584f-b3a9-4b6d-9b37-4cc4b802ca4d\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -8246,6 +8494,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -8298,7 +8549,7 @@ }, "@timestamp": "2020-02-09T15:25:21.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -8321,7 +8572,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834728100Z", + "ingested": "2021-06-09T12:47:50.667700600Z", + "original": "{\"InterSystemsId\": \"cf2168a1-6537-4ed6-80a5-797c3458180c\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:25:21\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"23f53edd-63a7-4292-9d80-4fbc49c11e00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"d137a5e4-7004-493a-acca-5fb167d1f207\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -8380,6 +8632,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -8432,7 +8687,7 @@ }, "@timestamp": "2020-02-12T21:38:20.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -8455,7 +8710,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834732100Z", + "ingested": "2021-06-09T12:47:50.667706400Z", + "original": "{\"InterSystemsId\": \"d21f6867-0670-4c94-b6fa-bde326fcf3c6\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:20\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"1fa4819f-605a-4ebe-a2c3-bc11c3f8e200\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"73f0a2ef-35be-4a71-9545-59d879fc8fb2\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -8514,6 +8770,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -8566,7 +8825,7 @@ }, "@timestamp": "2020-02-07T16:44:02.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -8589,7 +8848,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:40.834735900Z", + "ingested": "2021-06-09T12:47:50.667712100Z", + "original": "{\"InterSystemsId\": \"d5effb7f-9d39-4893-90f6-9cfeec7ed1a7\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:02\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"f22a3ad7-22e7-4296-a600-e4e9161a6000\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"3783acda-5ded-4d69-95b6-3df5344c0ce0\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -8648,6 +8908,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -8700,7 +8963,7 @@ }, "@timestamp": "2020-02-07T16:44:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -8723,7 +8986,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:40.834739900Z", + "ingested": "2021-06-09T12:47:50.667723800Z", + "original": "{\"InterSystemsId\": \"d960e058-1adb-4a84-a65b-1a6ce367e323\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:03\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"1dfdb693-18a1-4cff-aa3e-61feaa356100\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"f67568b1-64c4-4165-bdd9-16a5b9142eef\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -8782,6 +9046,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -8834,7 +9101,7 @@ }, "@timestamp": "2020-02-09T15:29:02.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -8857,7 +9124,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834743900Z", + "ingested": "2021-06-09T12:47:50.667730200Z", + "original": "{\"InterSystemsId\": \"e2565aaf-91b0-4ccd-8810-743123eb7383\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:29:02\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"21166e08-6589-4c2d-a325-c97ba45f2200\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"a8114a24-d342-4689-b75e-51e6386763de\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -8916,6 +9184,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -8968,7 +9239,7 @@ }, "@timestamp": "2020-02-09T15:25:21.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -8991,7 +9262,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:40.834747800Z", + "ingested": "2021-06-09T12:47:50.667736Z", + "original": "{\"InterSystemsId\": \"ede626b9-2035-4d02-8330-201c4ae82af6\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:25:21\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"98612804-9aa6-40a4-b72a-808bc7742000\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"1eaf9c65-8c67-4cd9-9277-771589113752\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", @@ -9050,6 +9322,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -9102,7 +9377,7 @@ }, "@timestamp": "2020-02-07T16:43:39.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -9125,7 +9400,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:40.834751700Z", + "ingested": "2021-06-09T12:47:50.667741600Z", + "original": "{\"InterSystemsId\": \"fc5c6c90-a6ba-486c-b685-8d67c529d3aa\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:39\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"6e184f6f-887b-4410-b24d-723031366000\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"3c439e46-d454-4767-9320-1e75540821b7\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread.log-config.yml b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread.log-config.yml deleted file mode 100644 index c45be4757bd..00000000000 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread.log-config.yml +++ /dev/null @@ -1,7 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - "@timestamp": "2020-04-28T11:07:58.223Z" - "_conf": - "tenants": - "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd": "mytenant.onmicrosoft.com" diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread.log-expected.json index 1c7ec7e9f08..8e166c0b102 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread.log-expected.json @@ -22,6 +22,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -138,7 +141,7 @@ }, "@timestamp": "2020-02-09T15:33:26.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -161,7 +164,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590872200Z", + "ingested": "2021-06-09T12:47:54.355507900Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:33:26\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"528b5206-f6de-4c1f-86db-5f750a9960c9\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:33:26.1037807Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38438635\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"8f6eb24b-6e61-4ee2-a376-31368c300613\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -207,6 +211,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -323,7 +330,7 @@ }, "@timestamp": "2020-02-09T15:33:26.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -346,7 +353,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590890200Z", + "ingested": "2021-06-09T12:47:54.355527200Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:33:26\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"NewValue\": \"RequiredResourceAccess\", \"OldValue\": \"\", \"Name\": \"Included Updated Properties\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"528b5206-f6de-4c1f-86db-5f750a9960c9\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:33:26.1037807Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38438635\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"8f6eb24b-6e61-4ee2-a376-31368c300613\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -392,6 +400,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -508,7 +519,7 @@ }, "@timestamp": "2020-02-09T15:33:26.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -531,7 +542,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590894900Z", + "ingested": "2021-06-09T12:47:54.355532200Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:33:26\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"Name\": \"RequiredResourceAccess\"}, {\"NewValue\": \"RequiredResourceAccess\", \"OldValue\": \"\", \"Name\": \"Included Updated Properties\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"528b5206-f6de-4c1f-86db-5f750a9960c9\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:33:26.1037807Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38438635\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"8f6eb24b-6e61-4ee2-a376-31368c300613\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -577,6 +589,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -702,7 +717,7 @@ }, "@timestamp": "2020-02-09T15:33:26.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -725,7 +740,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590898900Z", + "ingested": "2021-06-09T12:47:54.355535900Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:33:26\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem\"}, {\"Type\": 2, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Type\": 4, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ObjectId\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"ModifiedProperties\": [{\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"528b5206-f6de-4c1f-86db-5f750a9960c9\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:33:26.1638042Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38438642\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"b2cc2456-5ac5-4399-b960-82a40036476f\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -771,6 +787,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -896,7 +915,7 @@ }, "@timestamp": "2020-02-09T15:33:26.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -919,7 +938,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590902400Z", + "ingested": "2021-06-09T12:47:54.355539400Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:33:26\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem\"}, {\"Type\": 2, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Type\": 4, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ObjectId\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"ModifiedProperties\": [{\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"528b5206-f6de-4c1f-86db-5f750a9960c9\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:33:26.1638042Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38438642\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"b2cc2456-5ac5-4399-b960-82a40036476f\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -965,6 +985,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -1103,7 +1126,7 @@ }, "@timestamp": "2020-02-09T15:34:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1126,7 +1149,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590906700Z", + "ingested": "2021-06-09T12:47:54.355542800Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"ac045271-8d7f-49b2-abc9-5130051d879f\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:06.3062012Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38464425\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"7f09b681-251f-4ff0-97cf-5247891b6981\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -1172,6 +1196,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -1310,7 +1337,7 @@ }, "@timestamp": "2020-02-09T15:34:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1333,7 +1360,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590911200Z", + "ingested": "2021-06-09T12:47:54.355546Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"ac045271-8d7f-49b2-abc9-5130051d879f\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:06.3062012Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38464434\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"d8a2ae24-a752-4f8e-adca-c57189a76a71\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -1379,6 +1407,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -1517,7 +1548,7 @@ }, "@timestamp": "2020-02-09T15:34:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1540,7 +1571,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590915400Z", + "ingested": "2021-06-09T12:47:54.355550100Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"ac045271-8d7f-49b2-abc9-5130051d879f\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:06.3062012Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38464425\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"7f09b681-251f-4ff0-97cf-5247891b6981\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -1586,6 +1618,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -1724,7 +1759,7 @@ }, "@timestamp": "2020-02-09T15:34:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1747,7 +1782,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590919100Z", + "ingested": "2021-06-09T12:47:54.355554700Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"ac045271-8d7f-49b2-abc9-5130051d879f\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:06.3062012Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38464434\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"d8a2ae24-a752-4f8e-adca-c57189a76a71\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -1793,6 +1829,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -1931,7 +1970,7 @@ }, "@timestamp": "2020-02-09T15:34:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1954,7 +1993,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590925900Z", + "ingested": "2021-06-09T12:47:54.355558400Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"ac045271-8d7f-49b2-abc9-5130051d879f\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:06.3062012Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38464425\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"7f09b681-251f-4ff0-97cf-5247891b6981\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -2000,6 +2040,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -2138,7 +2181,7 @@ }, "@timestamp": "2020-02-09T15:34:47.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2161,7 +2204,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590929500Z", + "ingested": "2021-06-09T12:47:54.355561700Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:47\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"d37460cd-3d19-4ae9-9515-015f27036e74\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:47.4999796Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FYE60\"}, {\"Name\": \"env_seqNum\", \"Value\": \"51372061\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"02868191-019a-453a-a3a9-a21f44898778\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -2207,6 +2251,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -2345,7 +2392,7 @@ }, "@timestamp": "2020-02-09T15:34:47.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2368,7 +2415,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590933500Z", + "ingested": "2021-06-09T12:47:54.355565100Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:47\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"d37460cd-3d19-4ae9-9515-015f27036e74\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:47.4999796Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FYE60\"}, {\"Name\": \"env_seqNum\", \"Value\": \"51372061\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"02868191-019a-453a-a3a9-a21f44898778\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -2414,6 +2462,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -2552,7 +2603,7 @@ }, "@timestamp": "2020-02-09T15:34:47.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2575,7 +2626,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590936700Z", + "ingested": "2021-06-09T12:47:54.355568200Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:47\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"d37460cd-3d19-4ae9-9515-015f27036e74\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:47.4999796Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FYE60\"}, {\"Name\": \"env_seqNum\", \"Value\": \"51372052\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -2621,6 +2673,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -2759,7 +2814,7 @@ }, "@timestamp": "2020-02-09T15:34:47.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2782,7 +2837,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590940Z", + "ingested": "2021-06-09T12:47:54.355571800Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:47\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"d37460cd-3d19-4ae9-9515-015f27036e74\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:47.4999796Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FYE60\"}, {\"Name\": \"env_seqNum\", \"Value\": \"51372061\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"02868191-019a-453a-a3a9-a21f44898778\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -2828,6 +2884,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -2966,7 +3025,7 @@ }, "@timestamp": "2020-02-09T15:34:47.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -2989,7 +3048,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590943800Z", + "ingested": "2021-06-09T12:47:54.355575100Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:47\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.AppId\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"d37460cd-3d19-4ae9-9515-015f27036e74\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:47.4999796Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FYE60\"}, {\"Name\": \"env_seqNum\", \"Value\": \"51372052\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -3035,6 +3095,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -3173,7 +3236,7 @@ }, "@timestamp": "2020-02-09T15:34:47.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -3196,7 +3259,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590947100Z", + "ingested": "2021-06-09T12:47:54.355578300Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:47\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.AppId\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"d37460cd-3d19-4ae9-9515-015f27036e74\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:47.4999796Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FYE60\"}, {\"Name\": \"env_seqNum\", \"Value\": \"51372052\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -3242,6 +3306,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -3380,7 +3447,7 @@ }, "@timestamp": "2020-02-09T15:34:47.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -3403,7 +3470,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590951600Z", + "ingested": "2021-06-09T12:47:54.355582300Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:47\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"d37460cd-3d19-4ae9-9515-015f27036e74\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:47.4999796Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FYE60\"}, {\"Name\": \"env_seqNum\", \"Value\": \"51372061\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"02868191-019a-453a-a3a9-a21f44898778\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -3449,6 +3517,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -3587,7 +3658,7 @@ }, "@timestamp": "2020-02-09T15:34:47.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -3610,7 +3681,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590955Z", + "ingested": "2021-06-09T12:47:54.355585700Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:47\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"d37460cd-3d19-4ae9-9515-015f27036e74\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:47.4999796Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FYE60\"}, {\"Name\": \"env_seqNum\", \"Value\": \"51372052\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -3656,6 +3728,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -3772,7 +3847,7 @@ }, "@timestamp": "2020-02-09T15:34:52.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -3795,7 +3870,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590958400Z", + "ingested": "2021-06-09T12:47:54.355589100Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:52\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"5345f95e-44e0-48fc-823c-8206ff821338\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:52.5873254Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FQXLK\"}, {\"Name\": \"env_seqNum\", \"Value\": \"42492828\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR565\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"fe115c66-3e08-4ab4-8a00-84ae25a59078\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -3841,6 +3917,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -3957,7 +4036,7 @@ }, "@timestamp": "2020-02-09T15:34:52.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -3980,7 +4059,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590961800Z", + "ingested": "2021-06-09T12:47:54.355592200Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:52\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"Name\": \"RequiredResourceAccess\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"5345f95e-44e0-48fc-823c-8206ff821338\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:52.5873254Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FQXLK\"}, {\"Name\": \"env_seqNum\", \"Value\": \"42492828\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR565\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"fe115c66-3e08-4ab4-8a00-84ae25a59078\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -4026,6 +4106,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -4151,7 +4234,7 @@ }, "@timestamp": "2020-02-09T15:34:52.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -4174,7 +4257,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590965Z", + "ingested": "2021-06-09T12:47:54.355595500Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:52\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem\"}, {\"Type\": 2, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Type\": 4, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ObjectId\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"ModifiedProperties\": [{\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"5345f95e-44e0-48fc-823c-8206ff821338\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:52.6473040Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FQXLK\"}, {\"Name\": \"env_seqNum\", \"Value\": \"42492835\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR565\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"76f9b173-c35c-4dbb-b5f7-64750ae994ce\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -4220,6 +4304,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -4336,7 +4423,7 @@ }, "@timestamp": "2020-02-09T18:25:54.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -4359,7 +4446,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590968200Z", + "ingested": "2021-06-09T12:47:54.355598700Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:25:54\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"51e48c97-80b1-42bb-b732-8b578dfac528\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:25:54.7174137Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"73AB6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43793182\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR575\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -4405,6 +4493,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -4521,7 +4612,7 @@ }, "@timestamp": "2020-02-09T18:25:54.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -4544,7 +4635,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590971400Z", + "ingested": "2021-06-09T12:47:54.355601900Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:25:54\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"NewValue\": \"RequiredResourceAccess\", \"OldValue\": \"\", \"Name\": \"Included Updated Properties\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"51e48c97-80b1-42bb-b732-8b578dfac528\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:25:54.7174137Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"73AB6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43793182\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR575\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -4590,6 +4682,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -4706,7 +4801,7 @@ }, "@timestamp": "2020-02-09T18:25:54.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -4729,7 +4824,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590974900Z", + "ingested": "2021-06-09T12:47:54.355605300Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:25:54\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"Name\": \"RequiredResourceAccess\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"51e48c97-80b1-42bb-b732-8b578dfac528\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:25:54.7174137Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"73AB6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43793182\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR575\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -4775,6 +4871,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -4900,7 +4999,7 @@ }, "@timestamp": "2020-02-09T18:25:54.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -4923,7 +5022,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590978Z", + "ingested": "2021-06-09T12:47:54.355608500Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:25:54\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem\"}, {\"Type\": 2, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Type\": 4, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ObjectId\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"ModifiedProperties\": [{\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"51e48c97-80b1-42bb-b732-8b578dfac528\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:25:54.7823970Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"73AB6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43793206\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR575\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"606ae654-e71e-4a6b-a07c-85acd775667b\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -4969,6 +5069,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -5107,7 +5210,7 @@ }, "@timestamp": "2020-02-09T18:26:05.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -5130,7 +5233,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590981600Z", + "ingested": "2021-06-09T12:47:54.355611900Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:05\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:05.9242333Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795815\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"14f7e7eb-0fd1-4f89-bda8-642d035f3541\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -5176,6 +5280,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -5314,7 +5421,7 @@ }, "@timestamp": "2020-02-09T18:26:05.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -5337,7 +5444,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590984900Z", + "ingested": "2021-06-09T12:47:54.355615200Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:05\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:05.9992570Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795878\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"41c7d7a7-ce53-4696-aa78-37c451a95fe1\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -5383,6 +5491,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -5521,7 +5632,7 @@ }, "@timestamp": "2020-02-09T18:26:05.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -5544,7 +5655,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590988300Z", + "ingested": "2021-06-09T12:47:54.355618700Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:05\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:05.9242333Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795815\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"14f7e7eb-0fd1-4f89-bda8-642d035f3541\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -5590,6 +5702,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -5728,7 +5843,7 @@ }, "@timestamp": "2020-02-09T18:26:05.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -5751,7 +5866,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590991600Z", + "ingested": "2021-06-09T12:47:54.355622200Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:05\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:05.9992570Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795878\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"41c7d7a7-ce53-4696-aa78-37c451a95fe1\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -5797,6 +5913,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -5935,7 +6054,7 @@ }, "@timestamp": "2020-02-09T18:26:05.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -5958,7 +6077,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590994900Z", + "ingested": "2021-06-09T12:47:54.355625600Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:05\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:05.9242333Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795815\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"14f7e7eb-0fd1-4f89-bda8-642d035f3541\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -6004,6 +6124,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -6142,7 +6265,7 @@ }, "@timestamp": "2020-02-09T18:26:05.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -6165,7 +6288,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.590998100Z", + "ingested": "2021-06-09T12:47:54.355628800Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:05\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:05.9992570Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795878\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"41c7d7a7-ce53-4696-aa78-37c451a95fe1\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -6211,6 +6335,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -6349,7 +6476,7 @@ }, "@timestamp": "2020-02-09T18:26:05.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -6372,7 +6499,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591001500Z", + "ingested": "2021-06-09T12:47:54.355632Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:05\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:05.9992570Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795878\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"41c7d7a7-ce53-4696-aa78-37c451a95fe1\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -6418,6 +6546,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -6556,7 +6687,7 @@ }, "@timestamp": "2020-02-09T18:26:05.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -6579,7 +6710,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591005Z", + "ingested": "2021-06-09T12:47:54.355635300Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:05\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:05.9242333Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795815\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"14f7e7eb-0fd1-4f89-bda8-642d035f3541\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -6625,6 +6757,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -6766,7 +6901,7 @@ }, "@timestamp": "2020-02-09T18:26:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -6789,7 +6924,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591008300Z", + "ingested": "2021-06-09T12:47:54.355638400Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem\"}, {\"Type\": 2, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Type\": 4, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ObjectId\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"ModifiedProperties\": [{\"Name\": \"ConsentContext.IsAdminConsent\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"Name\": \"ConsentContext.IsAppOnly\", \"OldValue\": \"\", \"NewValue\": \"False\"}, {\"Name\": \"ConsentContext.OnBehalfOfAll\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"Name\": \"ConsentContext.Tags\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ConsentAction.Permissions\", \"OldValue\": \"\", \"NewValue\": \"[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:06.0142481Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795893\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Consent to application.\", \"Id\": \"821dc03c-4e38-4cd1-82b2-3155b41b4418\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -6835,6 +6971,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -6976,7 +7115,7 @@ }, "@timestamp": "2020-02-09T18:26:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -6999,7 +7138,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591011700Z", + "ingested": "2021-06-09T12:47:54.355641700Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem\"}, {\"Type\": 2, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Type\": 4, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ObjectId\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"ModifiedProperties\": [{\"Name\": \"ConsentContext.IsAdminConsent\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"NewValue\": \"False\", \"OldValue\": \"\", \"Name\": \"ConsentContext.IsAppOnly\"}, {\"Name\": \"ConsentContext.OnBehalfOfAll\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"Name\": \"ConsentContext.Tags\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ConsentAction.Permissions\", \"OldValue\": \"\", \"NewValue\": \"[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:06.0142481Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795893\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Consent to application.\", \"Id\": \"821dc03c-4e38-4cd1-82b2-3155b41b4418\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -7024,6 +7164,9 @@ } }, { + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "AzureActiveDirectoryEventType": "1", @@ -7141,7 +7284,7 @@ }, "@timestamp": "2020-02-10T15:15:04.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -7159,7 +7302,8 @@ }, "client": {}, "event": { - "ingested": "2021-06-02T06:59:44.591015100Z", + "ingested": "2021-06-09T12:47:54.355645Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:15:04\", \"Actor\": [{\"Type\": 5, \"ID\": \"fim_password_service@support.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"100300008060F582\"}, {\"Type\": 2, \"ID\": \"User_00000000-0000-0000-0000-000000000000\"}, {\"Type\": 2, \"ID\": \"00000000-0000-0000-0000-000000000000\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"d51ef8df-6617-4356-b8d4-89ad7efef31e\", \"RecordType\": 8, \"ActorIpAddress\": \"\", \"UserId\": \"fim_password_service@support.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"100300008060F582@support.onmicrosoft.com\", \"ClientIP\": \"\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"ObjectId\": \"asr@testsiem.onmicrosoft.com\", \"ModifiedProperties\": [{\"Name\": \"StrongAuthenticationPhoneAppDetail\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"DeviceName\\\": \\\"NO_DEVICE\\\",\\r\\n \\\"DeviceToken\\\": \\\"NO_DEVICE_TOKEN\\\",\\r\\n \\\"DeviceTag\\\": \\\"SoftwareTokenActivated\\\",\\r\\n \\\"PhoneAppVersion\\\": \\\"NO_PHONE_APP_VERSION\\\",\\r\\n \\\"OathTokenTimeDrift\\\": 0,\\r\\n \\\"DeviceId\\\": null,\\r\\n \\\"Id\\\": \\\"3b539b10-3846-4f9b-877d-55b0b8e76147\\\",\\r\\n \\\"TimeInterval\\\": null,\\r\\n \\\"AuthenticationType\\\": 2,\\r\\n \\\"NotificationType\\\": 1,\\r\\n \\\"SecuredPartitionId\\\": 0,\\r\\n \\\"SecuredKeyId\\\": 0\\r\\n }\\r\\n]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"DeviceName\\\": \\\"NO_DEVICE\\\",\\r\\n \\\"DeviceToken\\\": \\\"NO_DEVICE_TOKEN\\\",\\r\\n \\\"DeviceTag\\\": \\\"SoftwareTokenActivated\\\",\\r\\n \\\"PhoneAppVersion\\\": \\\"NO_PHONE_APP_VERSION\\\",\\r\\n \\\"OathTokenTimeDrift\\\": -1,\\r\\n \\\"DeviceId\\\": null,\\r\\n \\\"Id\\\": \\\"3b539b10-3846-4f9b-877d-55b0b8e76147\\\",\\r\\n \\\"TimeInterval\\\": null,\\r\\n \\\"AuthenticationType\\\": 2,\\r\\n \\\"NotificationType\\\": 1,\\r\\n \\\"SecuredPartitionId\\\": 0,\\r\\n \\\"SecuredKeyId\\\": 0\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"StrongAuthenticationPhoneAppDetail\"}, {\"Name\": \"TargetId.UserType\", \"OldValue\": \"\", \"NewValue\": \"Member\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"d51ef8df-6617-4356-b8d4-89ad7efef31e\"}, {\"Name\": \"actorObjectId\", \"Value\": \"00000000-0000-0000-0000-000000000000\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"fim_password_service@support.onmicrosoft.com\"}, {\"Name\": \"actorPUID\", \"Value\": \"100300008060F582\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"User\"}, {\"Name\": \"targetUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"targetPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"StrongAuthenticationPhoneAppDetail\\\",\\\"TargetId.UserType\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"4aa56c6c-8fa5-4787-a165-03f181541438\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"UserType\\\":\\\"Member\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"UserManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:15:04.2043419Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"4QPHR\"}, {\"Name\": \"env_seqNum\", \"Value\": \"87075075\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"becwebservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"becwebservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RBWSR554\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update user.\", \"Id\": \"83c924c1-f2e2-4b39-8eda-b80c3823a875\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -7211,6 +7355,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -7349,7 +7496,7 @@ }, "@timestamp": "2020-02-10T15:16:18.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -7372,7 +7519,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591018200Z", + "ingested": "2021-06-09T12:47:54.355648300Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:16:18\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"NewValue\": \"\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2e358876-29c8-45b5-8dba-e233cf769988\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:16:18.9844570Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"Z4XUI\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43649666\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR581\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove OAuth2PermissionGrant.\", \"Id\": \"ec6ba716-ec04-460a-8d9e-661d732c4689\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -7418,6 +7566,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -7556,7 +7707,7 @@ }, "@timestamp": "2020-02-10T15:16:18.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -7579,7 +7730,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591021400Z", + "ingested": "2021-06-09T12:47:54.355651500Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:16:18\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"NewValue\": \"\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.AppId\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2e358876-29c8-45b5-8dba-e233cf769988\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:16:18.9844570Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"Z4XUI\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43649666\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR581\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove OAuth2PermissionGrant.\", \"Id\": \"ec6ba716-ec04-460a-8d9e-661d732c4689\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -7625,6 +7777,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -7763,7 +7918,7 @@ }, "@timestamp": "2020-02-10T15:16:18.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -7786,7 +7941,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591024500Z", + "ingested": "2021-06-09T12:47:54.355654900Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:16:18\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2e358876-29c8-45b5-8dba-e233cf769988\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:16:18.9844570Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"Z4XUI\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43649666\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR581\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove OAuth2PermissionGrant.\", \"Id\": \"ec6ba716-ec04-460a-8d9e-661d732c4689\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -7832,6 +7988,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -7970,7 +8129,7 @@ }, "@timestamp": "2020-02-10T15:17:00.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -7993,7 +8152,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591027700Z", + "ingested": "2021-06-09T12:47:54.355658100Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:00\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"b2484c3c-5461-43ab-850b-70fccf706796\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:00.2133065Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"OLE3R\"}, {\"Name\": \"env_seqNum\", \"Value\": \"55908032\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR551\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"31d7436e-85aa-4aee-a945-6a0ff51ea975\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -8039,6 +8199,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -8177,7 +8340,7 @@ }, "@timestamp": "2020-02-10T15:17:00.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -8200,7 +8363,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591030900Z", + "ingested": "2021-06-09T12:47:54.355661200Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:00\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"b2484c3c-5461-43ab-850b-70fccf706796\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:00.2133065Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"OLE3R\"}, {\"Name\": \"env_seqNum\", \"Value\": \"55908041\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR551\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -8246,6 +8410,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -8384,7 +8551,7 @@ }, "@timestamp": "2020-02-10T15:17:00.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -8407,7 +8574,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591034Z", + "ingested": "2021-06-09T12:47:54.355664400Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:00\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"b2484c3c-5461-43ab-850b-70fccf706796\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:00.2133065Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"OLE3R\"}, {\"Name\": \"env_seqNum\", \"Value\": \"55908032\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR551\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"31d7436e-85aa-4aee-a945-6a0ff51ea975\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -8453,6 +8621,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -8591,7 +8762,7 @@ }, "@timestamp": "2020-02-10T15:17:00.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -8614,7 +8785,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591037100Z", + "ingested": "2021-06-09T12:47:54.355667500Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:00\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"b2484c3c-5461-43ab-850b-70fccf706796\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:00.2133065Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"OLE3R\"}, {\"Name\": \"env_seqNum\", \"Value\": \"55908041\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR551\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -8660,6 +8832,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -8798,7 +8973,7 @@ }, "@timestamp": "2020-02-10T15:17:00.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -8821,7 +8996,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591040400Z", + "ingested": "2021-06-09T12:47:54.355670600Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:00\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.AppId\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"b2484c3c-5461-43ab-850b-70fccf706796\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:00.2133065Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"OLE3R\"}, {\"Name\": \"env_seqNum\", \"Value\": \"55908041\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR551\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -8867,6 +9043,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -9005,7 +9184,7 @@ }, "@timestamp": "2020-02-10T15:17:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -9028,7 +9207,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591043500Z", + "ingested": "2021-06-09T12:47:54.355673800Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2f79971d-1802-40d2-b048-6cf4f85c010b\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:45.3474390Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"95CEL\"}, {\"Name\": \"env_seqNum\", \"Value\": \"44735117\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR519\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"227bc85c-0c21-4df3-9e11-3a24f104e1e4\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -9074,6 +9254,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -9212,7 +9395,7 @@ }, "@timestamp": "2020-02-10T15:17:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -9235,7 +9418,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591046800Z", + "ingested": "2021-06-09T12:47:54.355677Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2f79971d-1802-40d2-b048-6cf4f85c010b\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:45.3474390Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"95CEL\"}, {\"Name\": \"env_seqNum\", \"Value\": \"44735126\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR519\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"a385881d-d5e8-47b0-83ea-d50d6c9906e4\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -9281,6 +9465,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -9419,7 +9606,7 @@ }, "@timestamp": "2020-02-10T15:17:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -9442,7 +9629,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591049900Z", + "ingested": "2021-06-09T12:47:54.355680100Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2f79971d-1802-40d2-b048-6cf4f85c010b\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:45.3474390Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"95CEL\"}, {\"Name\": \"env_seqNum\", \"Value\": \"44735126\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR519\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"a385881d-d5e8-47b0-83ea-d50d6c9906e4\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -9488,6 +9676,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -9626,7 +9817,7 @@ }, "@timestamp": "2020-02-10T15:17:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -9649,7 +9840,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591053100Z", + "ingested": "2021-06-09T12:47:54.355683600Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2f79971d-1802-40d2-b048-6cf4f85c010b\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:45.3474390Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"95CEL\"}, {\"Name\": \"env_seqNum\", \"Value\": \"44735117\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR519\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"227bc85c-0c21-4df3-9e11-3a24f104e1e4\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -9695,6 +9887,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -9833,7 +10028,7 @@ }, "@timestamp": "2020-02-10T15:17:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -9856,7 +10051,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591056300Z", + "ingested": "2021-06-09T12:47:54.355686700Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2f79971d-1802-40d2-b048-6cf4f85c010b\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:45.3474390Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"95CEL\"}, {\"Name\": \"env_seqNum\", \"Value\": \"44735117\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR519\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"227bc85c-0c21-4df3-9e11-3a24f104e1e4\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -9902,6 +10098,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -10040,7 +10239,7 @@ }, "@timestamp": "2020-02-10T15:17:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -10063,7 +10262,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591059400Z", + "ingested": "2021-06-09T12:47:54.355689900Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2f79971d-1802-40d2-b048-6cf4f85c010b\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:45.3474390Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"95CEL\"}, {\"Name\": \"env_seqNum\", \"Value\": \"44735126\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR519\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"a385881d-d5e8-47b0-83ea-d50d6c9906e4\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -10109,6 +10309,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -10247,7 +10450,7 @@ }, "@timestamp": "2020-02-10T15:17:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -10270,7 +10473,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591062600Z", + "ingested": "2021-06-09T12:47:54.355693Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.AppId\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2f79971d-1802-40d2-b048-6cf4f85c010b\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:45.3474390Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"95CEL\"}, {\"Name\": \"env_seqNum\", \"Value\": \"44735126\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR519\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"a385881d-d5e8-47b0-83ea-d50d6c9906e4\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -10316,6 +10520,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -10457,7 +10664,7 @@ }, "@timestamp": "2020-02-10T15:30:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -10480,7 +10687,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591065700Z", + "ingested": "2021-06-09T12:47:54.355696300Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem\"}, {\"Type\": 2, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Type\": 4, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ObjectId\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"ModifiedProperties\": [{\"Name\": \"ConsentContext.IsAdminConsent\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"Name\": \"ConsentContext.IsAppOnly\", \"OldValue\": \"\", \"NewValue\": \"False\"}, {\"Name\": \"ConsentContext.OnBehalfOfAll\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"Name\": \"ConsentContext.Tags\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ConsentAction.Permissions\", \"OldValue\": \"\", \"NewValue\": \"[] =\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.3393756Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43118027\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Consent to application.\", \"Id\": \"0031778a-80cf-49f8-aea2-f798c9bf1ec9\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -10526,6 +10734,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -10667,7 +10878,7 @@ }, "@timestamp": "2020-02-10T15:30:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -10690,7 +10901,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591068900Z", + "ingested": "2021-06-09T12:47:54.355699600Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem\"}, {\"Type\": 2, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Type\": 4, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ObjectId\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"ModifiedProperties\": [{\"Name\": \"ConsentContext.IsAdminConsent\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"Name\": \"ConsentContext.IsAppOnly\", \"OldValue\": \"\", \"NewValue\": \"False\"}, {\"NewValue\": \"True\", \"OldValue\": \"\", \"Name\": \"ConsentContext.OnBehalfOfAll\"}, {\"Name\": \"ConsentContext.Tags\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ConsentAction.Permissions\", \"OldValue\": \"\", \"NewValue\": \"[] =\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.3393756Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43118027\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Consent to application.\", \"Id\": \"0031778a-80cf-49f8-aea2-f798c9bf1ec9\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -10736,6 +10948,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -10874,7 +11089,7 @@ }, "@timestamp": "2020-02-10T15:30:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -10897,7 +11112,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591072200Z", + "ingested": "2021-06-09T12:47:54.355702600Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.3343965Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43118019\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add OAuth2PermissionGrant.\", \"Id\": \"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -10943,6 +11159,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -11081,7 +11300,7 @@ }, "@timestamp": "2020-02-10T15:30:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -11104,7 +11323,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591075700Z", + "ingested": "2021-06-09T12:47:54.355706200Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.3343965Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43118019\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add OAuth2PermissionGrant.\", \"Id\": \"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -11150,6 +11370,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -11288,7 +11511,7 @@ }, "@timestamp": "2020-02-10T15:30:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -11311,7 +11534,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591079Z", + "ingested": "2021-06-09T12:47:54.355709400Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.3343965Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43118019\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add OAuth2PermissionGrant.\", \"Id\": \"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -11357,6 +11581,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -11495,7 +11722,7 @@ }, "@timestamp": "2020-02-10T15:30:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -11518,7 +11745,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591082400Z", + "ingested": "2021-06-09T12:47:54.355712700Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"NewValue\": \"\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.AppId\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.3343965Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43118019\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add OAuth2PermissionGrant.\", \"Id\": \"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -11564,6 +11792,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -11702,7 +11933,7 @@ }, "@timestamp": "2020-02-10T15:30:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -11725,7 +11956,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591086400Z", + "ingested": "2021-06-09T12:47:54.355732900Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.1843731Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43117912\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"678f80a3-92c4-4bb6-83a1-1c39d5a87225\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -11771,6 +12003,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -11909,7 +12144,7 @@ }, "@timestamp": "2020-02-10T15:30:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -11932,7 +12167,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591090700Z", + "ingested": "2021-06-09T12:47:54.355739300Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.2593808Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43117959\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"a73c1c7e-5591-4912-94cc-527ad6f48ed8\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -11978,6 +12214,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -12116,7 +12355,7 @@ }, "@timestamp": "2020-02-10T15:30:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -12139,7 +12378,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591094100Z", + "ingested": "2021-06-09T12:47:54.355743900Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.2593808Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43117959\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"a73c1c7e-5591-4912-94cc-527ad6f48ed8\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -12185,6 +12425,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -12323,7 +12566,7 @@ }, "@timestamp": "2020-02-10T15:30:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -12346,7 +12589,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591097400Z", + "ingested": "2021-06-09T12:47:54.355747700Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.1843731Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43117912\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"678f80a3-92c4-4bb6-83a1-1c39d5a87225\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -12392,6 +12636,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -12530,7 +12777,7 @@ }, "@timestamp": "2020-02-10T15:30:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -12553,7 +12800,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591100600Z", + "ingested": "2021-06-09T12:47:54.355751700Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.1843731Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43117912\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"678f80a3-92c4-4bb6-83a1-1c39d5a87225\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -12599,6 +12847,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -12727,7 +12978,7 @@ }, "@timestamp": "2020-02-11T16:36:30.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -12750,7 +13001,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591104600Z", + "ingested": "2021-06-09T12:47:54.355755200Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:36:30\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"AppId\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"Name\": \"AvailableToOtherTenants\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n false\\r\\n]\"}, {\"Name\": \"DisplayName\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"siem2\\\"\\r\\n]\"}, {\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"484659af-7387-4b77-b889-c4d2a8060004\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:36:30.6833528Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"SDA9U\"}, {\"Name\": \"env_seqNum\", \"Value\": \"41554400\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR521\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add application.\", \"Id\": \"689aaff0-b34f-4077-9244-0563b9f9c03b\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -12796,6 +13048,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -12924,7 +13179,7 @@ }, "@timestamp": "2020-02-11T16:36:30.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -12947,7 +13202,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591108100Z", + "ingested": "2021-06-09T12:47:54.355758500Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:36:30\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"AppId\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"Name\": \"AvailableToOtherTenants\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n false\\r\\n]\"}, {\"Name\": \"DisplayName\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"siem2\\\"\\r\\n]\"}, {\"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"RequiredResourceAccess\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"484659af-7387-4b77-b889-c4d2a8060004\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:36:30.6833528Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"SDA9U\"}, {\"Name\": \"env_seqNum\", \"Value\": \"41554400\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR521\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add application.\", \"Id\": \"689aaff0-b34f-4077-9244-0563b9f9c03b\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -12993,6 +13249,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -13121,7 +13380,7 @@ }, "@timestamp": "2020-02-11T16:36:30.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -13144,7 +13403,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591111200Z", + "ingested": "2021-06-09T12:47:54.355761900Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:36:30\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"AppId\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"Name\": \"AvailableToOtherTenants\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n false\\r\\n]\"}, {\"NewValue\": \"[\\r\\n \\\"siem2\\\"\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"DisplayName\"}, {\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"484659af-7387-4b77-b889-c4d2a8060004\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:36:30.6833528Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"SDA9U\"}, {\"Name\": \"env_seqNum\", \"Value\": \"41554400\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR521\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add application.\", \"Id\": \"689aaff0-b34f-4077-9244-0563b9f9c03b\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -13190,6 +13450,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -13318,7 +13581,7 @@ }, "@timestamp": "2020-02-11T16:36:30.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -13341,7 +13604,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591114400Z", + "ingested": "2021-06-09T12:47:54.355765100Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:36:30\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"AppId\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"NewValue\": \"[\\r\\n false\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"AvailableToOtherTenants\"}, {\"Name\": \"DisplayName\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"siem2\\\"\\r\\n]\"}, {\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"484659af-7387-4b77-b889-c4d2a8060004\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:36:30.6833528Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"SDA9U\"}, {\"Name\": \"env_seqNum\", \"Value\": \"41554400\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR521\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add application.\", \"Id\": \"689aaff0-b34f-4077-9244-0563b9f9c03b\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -13387,6 +13651,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -13513,7 +13780,7 @@ }, "@timestamp": "2020-02-11T16:36:30.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -13536,7 +13803,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591117600Z", + "ingested": "2021-06-09T12:47:54.355768400Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:36:30\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"ObjectId\": \"asr@testsiem.onmicrosoft.com\", \"ModifiedProperties\": [{\"Name\": \"Application.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"Application.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem2\"}, {\"Name\": \"Application.AppId\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"targetPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"Application.ObjectID\\\",\\\"Application.DisplayName\\\",\\\"Application.AppId\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"484659af-7387-4b77-b889-c4d2a8060004\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"33cdc459-1335-4d6c-b773-f5eef4df7793\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"Application\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:36:30.7383513Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"SDA9U\"}, {\"Name\": \"env_seqNum\", \"Value\": \"41554439\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR521\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add owner to application.\", \"Id\": \"ccbe264f-f6bc-42bd-b5b6-2893ce2f465f\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -13585,6 +13853,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -13730,7 +14001,7 @@ }, "@timestamp": "2020-02-11T16:36:31.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -13753,7 +14024,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591120700Z", + "ingested": "2021-06-09T12:47:54.355771600Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:36:31\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"AccountEnabled\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n true\\r\\n]\"}, {\"Name\": \"AppPrincipalId\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"Name\": \"DisplayName\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"siem2\\\"\\r\\n]\"}, {\"Name\": \"ServicePrincipalName\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"Name\": \"Credential\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"381d015d-6660-4dce-af99-4cd8c3b61d4d\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:36:31.1327910Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"NNJOH\"}, {\"Name\": \"env_seqNum\", \"Value\": \"39121960\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add service principal.\", \"Id\": \"48403af8-b712-4e63-a999-686b631240ac\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -13799,6 +14071,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -13944,7 +14219,7 @@ }, "@timestamp": "2020-02-11T16:36:31.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -13967,7 +14242,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591124Z", + "ingested": "2021-06-09T12:47:54.355775100Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:36:31\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"AccountEnabled\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n true\\r\\n]\"}, {\"Name\": \"AppPrincipalId\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"NewValue\": \"[\\r\\n \\\"siem2\\\"\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"DisplayName\"}, {\"Name\": \"ServicePrincipalName\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"NewValue\": \"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"Credential\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"381d015d-6660-4dce-af99-4cd8c3b61d4d\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:36:31.1327910Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"NNJOH\"}, {\"Name\": \"env_seqNum\", \"Value\": \"39121960\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add service principal.\", \"Id\": \"48403af8-b712-4e63-a999-686b631240ac\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -14013,6 +14289,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -14158,7 +14437,7 @@ }, "@timestamp": "2020-02-11T16:36:31.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -14181,7 +14460,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591127400Z", + "ingested": "2021-06-09T12:47:54.355778400Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:36:31\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"NewValue\": \"[\\r\\n true\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"AccountEnabled\"}, {\"Name\": \"AppPrincipalId\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"Name\": \"DisplayName\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"siem2\\\"\\r\\n]\"}, {\"Name\": \"ServicePrincipalName\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"Name\": \"Credential\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"381d015d-6660-4dce-af99-4cd8c3b61d4d\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:36:31.1327910Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"NNJOH\"}, {\"Name\": \"env_seqNum\", \"Value\": \"39121960\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add service principal.\", \"Id\": \"48403af8-b712-4e63-a999-686b631240ac\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -14227,6 +14507,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -14372,7 +14655,7 @@ }, "@timestamp": "2020-02-11T16:36:31.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -14395,7 +14678,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591130600Z", + "ingested": "2021-06-09T12:47:54.355781600Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:36:31\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"NewValue\": \"[\\r\\n true\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"AccountEnabled\"}, {\"Name\": \"AppPrincipalId\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"NewValue\": \"[\\r\\n \\\"siem2\\\"\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"DisplayName\"}, {\"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"ServicePrincipalName\"}, {\"Name\": \"Credential\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"381d015d-6660-4dce-af99-4cd8c3b61d4d\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:36:31.1327910Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"NNJOH\"}, {\"Name\": \"env_seqNum\", \"Value\": \"39121960\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add service principal.\", \"Id\": \"48403af8-b712-4e63-a999-686b631240ac\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -14441,6 +14725,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -14548,7 +14835,7 @@ }, "@timestamp": "2020-02-11T16:42:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -14571,7 +14858,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591133900Z", + "ingested": "2021-06-09T12:47:54.355785Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:42:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[]\"}, {\"Name\": \"correlationId\", \"Value\": \"531446ed-abd2-468f-96a8-a4dcc7b05168\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:42:45.0442303Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"VYXPT\"}, {\"Name\": \"env_seqNum\", \"Value\": \"45826392\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR559\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"aaa361ac-50e8-43f4-9aaf-c19c09e3e3bc\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -14617,6 +14905,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -14733,7 +15024,7 @@ }, "@timestamp": "2020-02-11T16:42:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -14756,7 +15047,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591137200Z", + "ingested": "2021-06-09T12:47:54.355788100Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:42:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"KeyDescription\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\\\"\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"KeyDescription\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"KeyDescription\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"531446ed-abd2-468f-96a8-a4dcc7b05168\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:42:45.0442303Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"VYXPT\"}, {\"Name\": \"env_seqNum\", \"Value\": \"45826385\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR559\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application \\u2013 Certificates and secrets management \", \"Id\": \"20a82fa1-625b-491a-a3e8-54d779a9b17e\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -14802,6 +15094,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -14918,7 +15213,7 @@ }, "@timestamp": "2020-02-11T16:42:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -14941,7 +15236,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591140400Z", + "ingested": "2021-06-09T12:47:54.355791400Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:42:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"NewValue\": \"[\\r\\n \\\"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\\\"\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"KeyDescription\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"KeyDescription\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"KeyDescription\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"531446ed-abd2-468f-96a8-a4dcc7b05168\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:42:45.0442303Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"VYXPT\"}, {\"Name\": \"env_seqNum\", \"Value\": \"45826385\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR559\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application \\u2013 Certificates and secrets management \", \"Id\": \"20a82fa1-625b-491a-a3e8-54d779a9b17e\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -14987,6 +15283,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -15112,7 +15411,7 @@ }, "@timestamp": "2020-02-11T16:42:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -15135,7 +15434,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591143700Z", + "ingested": "2021-06-09T12:47:54.355794700Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:42:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"531446ed-abd2-468f-96a8-a4dcc7b05168\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:42:45.1042022Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"VYXPT\"}, {\"Name\": \"env_seqNum\", \"Value\": \"45826464\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR559\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"15adbe69-7974-41ec-8341-208456600ad3\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -15181,6 +15481,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -15306,7 +15609,7 @@ }, "@timestamp": "2020-02-11T16:42:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -15329,7 +15632,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591146900Z", + "ingested": "2021-06-09T12:47:54.355798500Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:42:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"531446ed-abd2-468f-96a8-a4dcc7b05168\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:42:45.1042022Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"VYXPT\"}, {\"Name\": \"env_seqNum\", \"Value\": \"45826464\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR559\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"15adbe69-7974-41ec-8341-208456600ad3\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -15375,6 +15679,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -15500,7 +15807,7 @@ }, "@timestamp": "2020-02-11T16:42:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -15523,7 +15830,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591150Z", + "ingested": "2021-06-09T12:47:54.355801800Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:42:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"NewValue\": \"\", \"OldValue\": \"\", \"Name\": \"Included Updated Properties\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"531446ed-abd2-468f-96a8-a4dcc7b05168\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:42:45.1042022Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"VYXPT\"}, {\"Name\": \"env_seqNum\", \"Value\": \"45826464\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR559\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"15adbe69-7974-41ec-8341-208456600ad3\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -15569,6 +15877,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -15685,7 +15996,7 @@ }, "@timestamp": "2020-02-11T16:45:37.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -15708,7 +16019,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591153200Z", + "ingested": "2021-06-09T12:47:54.355804800Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:37\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:37.2045249Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34620418\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"d23b201c-5436-4ecc-a789-18d3f00ea76c\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -15754,6 +16066,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -15870,7 +16185,7 @@ }, "@timestamp": "2020-02-11T16:45:37.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -15893,7 +16208,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591156400Z", + "ingested": "2021-06-09T12:47:54.355808300Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:37\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"NewValue\": \"RequiredResourceAccess\", \"OldValue\": \"\", \"Name\": \"Included Updated Properties\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:37.2045249Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34620418\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"d23b201c-5436-4ecc-a789-18d3f00ea76c\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -15939,6 +16255,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -16055,7 +16374,7 @@ }, "@timestamp": "2020-02-11T16:45:37.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -16078,7 +16397,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591159600Z", + "ingested": "2021-06-09T12:47:54.355811500Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:37\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"Name\": \"RequiredResourceAccess\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:37.2045249Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34620418\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"d23b201c-5436-4ecc-a789-18d3f00ea76c\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -16124,6 +16444,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -16249,7 +16572,7 @@ }, "@timestamp": "2020-02-11T16:45:37.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -16272,7 +16595,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591163200Z", + "ingested": "2021-06-09T12:47:54.355814900Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:37\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:37.2595378Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34620448\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -16318,6 +16642,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -16443,7 +16770,7 @@ }, "@timestamp": "2020-02-11T16:45:37.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -16466,7 +16793,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591166400Z", + "ingested": "2021-06-09T12:47:54.355818100Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:37\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:37.2595378Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34620448\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -16512,6 +16840,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -16637,7 +16968,7 @@ }, "@timestamp": "2020-02-11T16:45:37.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -16660,7 +16991,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591170300Z", + "ingested": "2021-06-09T12:47:54.355821800Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:37\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"NewValue\": \"\", \"OldValue\": \"\", \"Name\": \"Included Updated Properties\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:37.2595378Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34620448\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -16706,6 +17038,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -16844,7 +17179,7 @@ }, "@timestamp": "2020-02-11T16:45:41.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -16867,7 +17202,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591174600Z", + "ingested": "2021-06-09T12:47:54.355825Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:41\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem2\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:41.8071361Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622707\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"256e3859-87ca-4b23-b2c0-45a26ccd7925\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -16913,6 +17249,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -17051,7 +17390,7 @@ }, "@timestamp": "2020-02-11T16:45:41.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -17074,7 +17413,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591178Z", + "ingested": "2021-06-09T12:47:54.355828200Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:41\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem2\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:41.8821342Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622751\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -17120,6 +17460,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -17258,7 +17601,7 @@ }, "@timestamp": "2020-02-11T16:45:41.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -17281,7 +17624,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591181100Z", + "ingested": "2021-06-09T12:47:54.355832900Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:41\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem2\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:41.9571526Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622781\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"a4a12952-3467-4d48-9950-48b4b9ac87b3\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -17327,6 +17671,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -17465,7 +17812,7 @@ }, "@timestamp": "2020-02-11T16:45:41.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -17488,7 +17835,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591184300Z", + "ingested": "2021-06-09T12:47:54.355836100Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:41\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem2\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:41.8821342Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622751\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -17534,6 +17882,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -17672,7 +18023,7 @@ }, "@timestamp": "2020-02-11T16:45:41.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -17695,7 +18046,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591187700Z", + "ingested": "2021-06-09T12:47:54.355839600Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:41\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem2\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:41.9571526Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622781\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"a4a12952-3467-4d48-9950-48b4b9ac87b3\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -17741,6 +18093,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -17879,7 +18234,7 @@ }, "@timestamp": "2020-02-11T16:45:41.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -17902,7 +18257,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591190800Z", + "ingested": "2021-06-09T12:47:54.355842700Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:41\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem2\"}, {\"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.AppId\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:41.8821342Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622751\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -17948,6 +18304,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -18086,7 +18445,7 @@ }, "@timestamp": "2020-02-11T16:45:41.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -18109,7 +18468,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591194300Z", + "ingested": "2021-06-09T12:47:54.355846Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:41\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem2\"}, {\"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.AppId\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:41.8071361Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622707\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"256e3859-87ca-4b23-b2c0-45a26ccd7925\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -18155,6 +18515,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -18293,7 +18656,7 @@ }, "@timestamp": "2020-02-11T16:45:41.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -18316,7 +18679,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591197400Z", + "ingested": "2021-06-09T12:47:54.355849200Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:41\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"NewValue\": \"siem2\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:41.9571526Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622781\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"a4a12952-3467-4d48-9950-48b4b9ac87b3\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -18362,6 +18726,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -18500,7 +18867,7 @@ }, "@timestamp": "2020-02-11T16:45:42.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -18523,7 +18890,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591200700Z", + "ingested": "2021-06-09T12:47:54.355852600Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:42\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:42.0571467Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622817\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add OAuth2PermissionGrant.\", \"Id\": \"db3ce560-1c2f-4c85-b305-55ad6476250f\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -18569,6 +18937,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -18707,7 +19078,7 @@ }, "@timestamp": "2020-02-11T16:45:42.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -18730,7 +19101,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591203900Z", + "ingested": "2021-06-09T12:47:54.355855900Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:42\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"NewValue\": \"\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:42.0571467Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622817\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add OAuth2PermissionGrant.\", \"Id\": \"db3ce560-1c2f-4c85-b305-55ad6476250f\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -18776,6 +19148,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -18914,7 +19289,7 @@ }, "@timestamp": "2020-02-11T16:45:42.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -18937,7 +19312,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591207100Z", + "ingested": "2021-06-09T12:47:54.355859200Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:42\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"NewValue\": \"\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:42.0571467Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622817\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add OAuth2PermissionGrant.\", \"Id\": \"db3ce560-1c2f-4c85-b305-55ad6476250f\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -18983,6 +19359,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -19124,7 +19503,7 @@ }, "@timestamp": "2020-02-11T16:45:42.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -19147,7 +19526,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591210400Z", + "ingested": "2021-06-09T12:47:54.355862400Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:42\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"ConsentContext.IsAdminConsent\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"Name\": \"ConsentContext.IsAppOnly\", \"OldValue\": \"\", \"NewValue\": \"False\"}, {\"Name\": \"ConsentContext.OnBehalfOfAll\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"NewValue\": \"\", \"OldValue\": \"\", \"Name\": \"ConsentContext.Tags\"}, {\"Name\": \"ConsentAction.Permissions\", \"OldValue\": \"\", \"NewValue\": \"[] =\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:42.1421458Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622848\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Consent to application.\", \"Id\": \"24524679-8930-4afd-83b8-2dc70aa0a016\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -19193,6 +19573,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -19334,7 +19717,7 @@ }, "@timestamp": "2020-02-11T16:45:42.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -19357,7 +19740,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591213600Z", + "ingested": "2021-06-09T12:47:54.355865600Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:42\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"ConsentContext.IsAdminConsent\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"NewValue\": \"False\", \"OldValue\": \"\", \"Name\": \"ConsentContext.IsAppOnly\"}, {\"Name\": \"ConsentContext.OnBehalfOfAll\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"Name\": \"ConsentContext.Tags\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ConsentAction.Permissions\", \"OldValue\": \"\", \"NewValue\": \"[] =\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:42.1421458Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622848\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Consent to application.\", \"Id\": \"24524679-8930-4afd-83b8-2dc70aa0a016\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -19403,6 +19787,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -19544,7 +19931,7 @@ }, "@timestamp": "2020-02-11T16:45:42.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -19567,7 +19954,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591216800Z", + "ingested": "2021-06-09T12:47:54.355869Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:42\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"ConsentContext.IsAdminConsent\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"NewValue\": \"False\", \"OldValue\": \"\", \"Name\": \"ConsentContext.IsAppOnly\"}, {\"NewValue\": \"True\", \"OldValue\": \"\", \"Name\": \"ConsentContext.OnBehalfOfAll\"}, {\"Name\": \"ConsentContext.Tags\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ConsentAction.Permissions\", \"OldValue\": \"\", \"NewValue\": \"[] =\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:42.1421458Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622848\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Consent to application.\", \"Id\": \"24524679-8930-4afd-83b8-2dc70aa0a016\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -19613,6 +20001,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -19747,7 +20138,7 @@ }, "@timestamp": "2020-02-11T16:45:42.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -19770,7 +20161,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591220Z", + "ingested": "2021-06-09T12:47:54.355872100Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:42\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"User.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"User.UPN\", \"OldValue\": \"\", \"NewValue\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"User.PUID\", \"OldValue\": \"\", \"NewValue\": \"1003200096971F55\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"UserManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"User\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:42.1421458Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622843\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment grant to user.\", \"Id\": \"fb84e87b-9a45-49bf-91d8-30f3880ca99d\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -19816,6 +20208,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -19950,7 +20345,7 @@ }, "@timestamp": "2020-02-11T16:45:42.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -19973,7 +20368,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591223300Z", + "ingested": "2021-06-09T12:47:54.355875300Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:42\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"User.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"User.UPN\", \"OldValue\": \"\", \"NewValue\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"User.PUID\", \"OldValue\": \"\", \"NewValue\": \"1003200096971F55\"}, {\"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"UserManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"User\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:42.1421458Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622843\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment grant to user.\", \"Id\": \"fb84e87b-9a45-49bf-91d8-30f3880ca99d\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", @@ -20019,6 +20415,9 @@ }, "ip": "83.57.233.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -20153,7 +20552,7 @@ }, "@timestamp": "2020-02-11T16:45:42.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -20176,7 +20575,8 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-02T06:59:44.591226600Z", + "ingested": "2021-06-09T12:47:54.355878600Z", + "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:42\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"User.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"NewValue\": \"asr@testsiem.onmicrosoft.com\", \"OldValue\": \"\", \"Name\": \"User.UPN\"}, {\"Name\": \"User.PUID\", \"OldValue\": \"\", \"NewValue\": \"1003200096971F55\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"UserManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"User\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:42.1421458Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622843\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment grant to user.\", \"Id\": \"fb84e87b-9a45-49bf-91d8-30f3880ca99d\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", "kind": "event", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon.log-config.yml b/packages/o365/data_stream/audit/_dev/test/pipeline/test-common-config.yml similarity index 83% rename from packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon.log-config.yml rename to packages/o365/data_stream/audit/_dev/test/pipeline/test-common-config.yml index c45be4757bd..11d3497e928 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon.log-config.yml +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-common-config.yml @@ -5,3 +5,5 @@ fields: "_conf": "tenants": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd": "mytenant.onmicrosoft.com" + tags: + - preserve_original_event \ No newline at end of file diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api.log-config.yml b/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api.log-config.yml deleted file mode 100644 index c45be4757bd..00000000000 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api.log-config.yml +++ /dev/null @@ -1,7 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - "@timestamp": "2020-04-28T11:07:58.223Z" - "_conf": - "tenants": - "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd": "mytenant.onmicrosoft.com" diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api.log-expected.json index f9310932d4a..57579f991ed 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api.log-expected.json @@ -14,7 +14,7 @@ }, "@timestamp": "2020-02-10T15:13:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "organization": { "name": "mytenant.onmicrosoft.com", @@ -25,7 +25,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:52.636536Z", + "ingested": "2021-06-09T12:48:02.158030500Z", + "original": "{\"Workload\": \"SecurityComplianceCenter\", \"DataType\": \"DataInsightsSubscription\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:38\", \"UserId\": \"Service Account\", \"UserType\": 5, \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\", \"RecordType\": 52}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", "kind": "event", @@ -41,7 +42,10 @@ }, "user": { "id": "Service Account" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "o365": { @@ -57,7 +61,7 @@ }, "@timestamp": "2020-02-12T21:38:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "organization": { "name": "mytenant.onmicrosoft.com", @@ -68,7 +72,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:52.636583900Z", + "ingested": "2021-06-09T12:48:02.158066200Z", + "original": "{\"Workload\": \"SecurityComplianceCenter\", \"DataType\": \"DataInsightsSubscription\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:38\", \"UserId\": \"Service Account\", \"UserType\": 5, \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"0ff67168-de8c-45fb-3f7d-08d7b003ebdc\", \"RecordType\": 52}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", "kind": "event", @@ -84,7 +89,10 @@ }, "user": { "id": "Service Account" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "o365": { @@ -100,7 +108,7 @@ }, "@timestamp": "2020-02-10T15:13:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "organization": { "name": "mytenant.onmicrosoft.com", @@ -111,7 +119,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:52.636590700Z", + "ingested": "2021-06-09T12:48:02.158073400Z", + "original": "{\"Workload\": \"SecurityComplianceCenter\", \"RecordType\": 52, \"DataType\": \"DataInsightsSubscription\", \"CreationTime\": \"2020-02-10T15:13:38\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"Service Account\", \"UserType\": 5, \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", "kind": "event", @@ -127,7 +136,10 @@ }, "user": { "id": "Service Account" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "o365": { @@ -143,7 +155,7 @@ }, "@timestamp": "2020-02-12T10:53:26.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "organization": { "name": "mytenant.onmicrosoft.com", @@ -154,7 +166,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:52.636594700Z", + "ingested": "2021-06-09T12:48:02.158077500Z", + "original": "{\"Workload\": \"SecurityComplianceCenter\", \"RecordType\": 52, \"DataType\": \"DataInsightsSubscription\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:53:26\", \"UserId\": \"Service Account\", \"UserType\": 5, \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"3b492d08-23a8-4e65-75ea-08d7afa9c9a2\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", "kind": "event", @@ -170,7 +183,10 @@ }, "user": { "id": "Service Account" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "o365": { @@ -186,7 +202,7 @@ }, "@timestamp": "2020-02-12T21:38:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "organization": { "name": "mytenant.onmicrosoft.com", @@ -197,7 +213,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:52.636598Z", + "ingested": "2021-06-09T12:48:02.158080800Z", + "original": "{\"Workload\": \"SecurityComplianceCenter\", \"RecordType\": 52, \"DataType\": \"DataInsightsSubscription\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:38\", \"UserId\": \"Service Account\", \"UserType\": 5, \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"0ff67168-de8c-45fb-3f7d-08d7b003ebdc\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", "kind": "event", @@ -213,7 +230,10 @@ }, "user": { "id": "Service Account" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "o365": { @@ -229,7 +249,7 @@ }, "@timestamp": "2020-02-12T10:53:26.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "organization": { "name": "mytenant.onmicrosoft.com", @@ -240,7 +260,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:52.636601300Z", + "ingested": "2021-06-09T12:48:02.158083800Z", + "original": "{\"Workload\": \"SecurityComplianceCenter\", \"RecordType\": 52, \"UserType\": 5, \"DataType\": \"DataInsightsSubscription\", \"CreationTime\": \"2020-02-12T10:53:26\", \"UserId\": \"Service Account\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"3b492d08-23a8-4e65-75ea-08d7afa9c9a2\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", "kind": "event", @@ -256,7 +277,10 @@ }, "user": { "id": "Service Account" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "o365": { @@ -272,7 +296,7 @@ }, "@timestamp": "2020-02-10T15:13:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "organization": { "name": "mytenant.onmicrosoft.com", @@ -283,7 +307,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:52.636604300Z", + "ingested": "2021-06-09T12:48:02.158086900Z", + "original": "{\"Workload\": \"SecurityComplianceCenter\", \"RecordType\": 52, \"UserType\": 5, \"DataType\": \"DataInsightsSubscription\", \"UserId\": \"Service Account\", \"CreationTime\": \"2020-02-10T15:13:38\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", "kind": "event", @@ -299,7 +324,10 @@ }, "user": { "id": "Service Account" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "o365": { @@ -315,7 +343,7 @@ }, "@timestamp": "2020-02-12T10:53:26.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "organization": { "name": "mytenant.onmicrosoft.com", @@ -326,7 +354,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:52.636607400Z", + "ingested": "2021-06-09T12:48:02.158089800Z", + "original": "{\"Workload\": \"SecurityComplianceCenter\", \"RecordType\": 52, \"UserType\": 5, \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:53:26\", \"UserId\": \"Service Account\", \"DataType\": \"DataInsightsSubscription\", \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"3b492d08-23a8-4e65-75ea-08d7afa9c9a2\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", "kind": "event", @@ -342,7 +371,10 @@ }, "user": { "id": "Service Account" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "o365": { @@ -358,7 +390,7 @@ }, "@timestamp": "2020-02-12T21:38:38.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "organization": { "name": "mytenant.onmicrosoft.com", @@ -369,7 +401,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:52.636610400Z", + "ingested": "2021-06-09T12:48:02.158092700Z", + "original": "{\"Workload\": \"SecurityComplianceCenter\", \"RecordType\": 52, \"UserType\": 5, \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"Service Account\", \"CreationTime\": \"2020-02-12T21:38:38\", \"DataType\": \"DataInsightsSubscription\", \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"0ff67168-de8c-45fb-3f7d-08d7b003ebdc\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", "kind": "event", @@ -385,7 +418,10 @@ }, "user": { "id": "Service Account" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange.log-config.yml b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange.log-config.yml deleted file mode 100644 index c45be4757bd..00000000000 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange.log-config.yml +++ /dev/null @@ -1,7 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - "@timestamp": "2020-04-28T11:07:58.223Z" - "_conf": - "tenants": - "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd": "mytenant.onmicrosoft.com" diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange.log-expected.json index e2350cf681a..6459ed64f26 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange.log-expected.json @@ -25,6 +25,9 @@ } }, "message": "Here's the phony data", + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "RecordType": "13", @@ -138,7 +141,7 @@ }, "@timestamp": "2020-02-24T20:11:15.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "organization": { "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" @@ -148,7 +151,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-02T06:59:52.783666500Z", + "ingested": "2021-06-09T12:48:02.317121300Z", + "original": "{\"Workload\":\"Exchange\",\"SensitiveInfoDetectionIsIncluded\":false,\"ObjectId\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"CreationTime\":\"2020-02-24T20:11:15\",\"UserId\":\"DlpAgent\",\"UserType\":4,\"Version\":1,\"PolicyDetails\":[{\"Rules\":[{\"Severity\":\"High\",\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"RuleName\":\"High volume of content detected test\",\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"RuleMode\":\"Enable\"},{\"Severity\":\"Medium\",\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"RuleName\":\"Mid volume of content detected test\",\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"RuleMode\":\"Enable\"}],\"PolicyName\":\"test\",\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\"}],\"ExchangeMetaData\":{\"From\":\"asr@testsiem2.onmicrosoft.com\",\"CC\":[\"asr@example.net\"],\"BCC\":[],\"To\":[\"asr@example.org\"],\"FileSize\":13405,\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\",\"MessageID\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\"},\"UserKey\":\"1153801116545789462\",\"Operation\":\"DlpRuleMatch\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"RecordType\":13}", "code": "ComplianceDLPExchange", "provider": "Exchange", "kind": "alert", @@ -193,6 +197,9 @@ } }, "message": "Here's the phony data", + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "RecordType": "13", @@ -306,7 +313,7 @@ }, "@timestamp": "2020-02-24T20:11:15.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "organization": { "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" @@ -316,7 +323,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-02T06:59:52.783683900Z", + "ingested": "2021-06-09T12:48:02.317137400Z", + "original": "{\"Workload\":\"Exchange\",\"SensitiveInfoDetectionIsIncluded\":false,\"ObjectId\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"CreationTime\":\"2020-02-24T20:11:15\",\"UserId\":\"DlpAgent\",\"UserType\":4,\"Version\":1,\"PolicyDetails\":[{\"Rules\":[{\"Severity\":\"High\",\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"RuleName\":\"High volume of content detected test\",\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"RuleMode\":\"Enable\"},{\"Severity\":\"Medium\",\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"RuleName\":\"Mid volume of content detected test\",\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"RuleMode\":\"Enable\"}],\"PolicyName\":\"test\",\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\"}],\"ExchangeMetaData\":{\"From\":\"asr@testsiem2.onmicrosoft.com\",\"CC\":[\"asr@example.net\"],\"BCC\":[],\"To\":[\"asr@example.org\"],\"FileSize\":13405,\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\",\"MessageID\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\"},\"UserKey\":\"1153801116545789462\",\"Operation\":\"DlpRuleUndo\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"RecordType\":13}", "code": "ComplianceDLPExchange", "provider": "Exchange", "kind": "alert", @@ -361,6 +369,9 @@ } }, "message": "Here's the phony data", + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "RecordType": "13", @@ -477,7 +488,7 @@ }, "@timestamp": "2020-02-24T20:11:15.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "organization": { "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" @@ -487,7 +498,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-02T06:59:52.783687800Z", + "ingested": "2021-06-09T12:48:02.317141300Z", + "original": "{\"Workload\":\"Exchange\",\"SensitiveInfoDetectionIsIncluded\":false,\"ObjectId\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"CreationTime\":\"2020-02-24T20:11:15\",\"UserId\":\"DlpAgent\",\"UserType\":4,\"Version\":1,\"ExceptionInfo\":\"{ \\\"Justification\\\": \\\"I really need to share those files\\\" }\",\"PolicyDetails\":[{\"Rules\":[{\"Severity\":\"High\",\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"RuleName\":\"High volume of content detected test\",\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"RuleMode\":\"Enable\"},{\"Severity\":\"Medium\",\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"RuleName\":\"Mid volume of content detected test\",\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"RuleMode\":\"Enable\"}],\"PolicyName\":\"test\",\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\"}],\"ExchangeMetaData\":{\"From\":\"asr@testsiem2.onmicrosoft.com\",\"CC\":[\"asr@example.net\"],\"BCC\":[],\"To\":[\"asr@example.org\"],\"FileSize\":13405,\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\",\"MessageID\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\"},\"UserKey\":\"1153801116545789462\",\"Operation\":\"DlpRuleMatch\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"RecordType\":13}", "code": "ComplianceDLPExchange", "provider": "Exchange", "kind": "alert", @@ -532,6 +544,9 @@ } }, "message": "Here's the phony data", + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "RecordType": "13", @@ -648,7 +663,7 @@ }, "@timestamp": "2020-02-24T20:11:15.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "organization": { "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" @@ -658,7 +673,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-02T06:59:52.783690700Z", + "ingested": "2021-06-09T12:48:02.317144400Z", + "original": "{\"Workload\":\"Exchange\",\"SensitiveInfoDetectionIsIncluded\":false,\"ObjectId\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"CreationTime\":\"2020-02-24T20:11:15\",\"UserId\":\"DlpAgent\",\"UserType\":4,\"Version\":1,\"ExceptionInfo\":{ \"FalsePositive\": true },\"PolicyDetails\":[{\"Rules\":[{\"Severity\":\"High\",\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"RuleName\":\"High volume of content detected test\",\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"RuleMode\":\"Enable\"},{\"Severity\":\"Medium\",\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"RuleName\":\"Mid volume of content detected test\",\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"RuleMode\":\"Enable\"}],\"PolicyName\":\"test\",\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\"}],\"ExchangeMetaData\":{\"From\":\"asr@testsiem2.onmicrosoft.com\",\"CC\":[\"asr@example.net\"],\"BCC\":[],\"To\":[\"asr@example.org\"],\"FileSize\":13405,\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\",\"MessageID\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\"},\"UserKey\":\"1153801116545789462\",\"Operation\":\"DlpRuleMatch\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"RecordType\":13}", "code": "ComplianceDLPExchange", "provider": "Exchange", "kind": "alert", @@ -701,6 +717,9 @@ } }, "message": "Here's the phony data", + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "RecordType": "13", @@ -771,7 +790,7 @@ }, "@timestamp": "2020-02-24T20:11:15.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "organization": { "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" @@ -781,7 +800,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-02T06:59:52.783695500Z", + "ingested": "2021-06-09T12:48:02.317147300Z", + "original": "{\"Workload\":\"Exchange\",\"SensitiveInfoDetectionIsIncluded\":false,\"ObjectId\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"UserId\":\"DlpAgent\",\"CreationTime\":\"2020-02-24T20:11:15\",\"UserType\":4,\"Version\":1,\"PolicyDetails\":[{\"Rules\":[{\"Severity\":\"Low\",\"RuleId\":\"8398c03a-a00d-42bb-8f80-ead0ad04e1df\",\"RuleName\":\"Low volume of content detected test\",\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"RuleMode\":\"Enable\"}],\"PolicyName\":\"test\",\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\"}],\"ExchangeMetaData\":{\"From\":\"asr@testsiem2.onmicrosoft.com\",\"CC\":[\"asr@example.net\"],\"BCC\":[],\"To\":[\"asr@example.org\"],\"FileSize\":13310,\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\",\"MessageID\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\"},\"UserKey\":\"1153801116545789462\",\"Operation\":\"DlpRuleMatch\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"Id\":\"a42123a9-1c07-4dde-9be6-ac71cb9fd16b\",\"RecordType\":13}", "code": "ComplianceDLPExchange", "provider": "Exchange", "kind": "alert", @@ -813,6 +833,9 @@ "url": { "original": "https://example.net/testsiem2.onmicrosoft.com/sharepoint" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "RecordType": "13", @@ -880,7 +903,7 @@ "mtime": "2020-02-24T12:13:14.000Z" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -895,7 +918,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-02T06:59:52.783716Z", + "ingested": "2021-06-09T12:48:02.317150300Z", + "original": "{\"Workload\":\"Exchange\",\"SensitiveInfoDetectionIsIncluded\":false,\"ObjectId\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"UserId\":\"DlpAgent\",\"CreationTime\":\"2020-02-24T20:11:15\",\"UserType\":4,\"Version\":1,\"PolicyDetails\":[{\"Rules\":[{\"Severity\":\"Low\",\"RuleId\":\"8398c03a-a00d-42bb-8f80-ead0ad04e1df\",\"RuleName\":\"Low volume of content detected test\",\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"RuleMode\":\"Enable\"}],\"PolicyName\":\"test\",\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\"}],\"SharePointMetaData\":{\"From\":\"alice@testsiem2.onmicrosoft.com\",\"itemCreationTime\":\"2020-02-20T11:23:45\",\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\",\"FileName\":\"Company-Internal-Financial.docx\",\"FileOwner\":\"alice@testsiem2.onmicrosoft.com\",\"FilePathUrl\":\"https://example.net/testsiem2.onmicrosoft.com/sharepoint\",\"LastModifiedTime\":\"2020-02-24T12:13:14Z\"},\"UserKey\":\"1153801116545789462\",\"Operation\":\"DlpRuleMatch\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"Id\":\"a42123a9-1c07-4dde-9be6-ac71cb9fd16b\",\"RecordType\":13}", "code": "ComplianceDLPExchange", "provider": "Exchange", "kind": "alert", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint.log-config.yml b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint.log-config.yml deleted file mode 100644 index c45be4757bd..00000000000 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint.log-config.yml +++ /dev/null @@ -1,7 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - "@timestamp": "2020-04-28T11:07:58.223Z" - "_conf": - "tenants": - "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd": "mytenant.onmicrosoft.com" diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint.log-expected.json index c0bc8cf8ffb..e9542be5bcd 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint.log-expected.json @@ -12,6 +12,9 @@ "url": { "original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "RecordType": "11", @@ -66,7 +69,7 @@ "name": "Customers Financial Data.docx" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -81,7 +84,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-02T06:59:52.997643100Z", + "ingested": "2021-06-09T12:48:02.532147300Z", + "original": "{\"Workload\": \"OneDrive\", \"SensitiveInfoDetectionIsIncluded\": false, \"ObjectId\": \"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\", \"OrganizationId\": \"0e1dddce-163e-4b0b-9e33-87ba56ac4655\", \"UserId\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"CreationTime\": \"2020-02-25T16:20:15\", \"UserType\": 4, \"Version\": 1, \"PolicyDetails\": [{\"Rules\": [{\"Severity\": \"Low\", \"RuleId\": \"c5981414-9f1f-4275-a2df-2fbfb1d03795\", \"ConditionsMatched\": {\"SensitiveInformation\": [{\"Count\": 1, \"Confidence\": 75, \"SensitiveType\": \"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]}, \"Actions\": [\"NotifyUser\"], \"RuleName\": \"Low volume of content detected U.S. Financial\", \"ActionParameters\": [], \"RuleMode\": \"Enable\"}], \"PolicyName\": \"U.S. Financial Data\", \"PolicyId\": \"a15b4790-085f-43c1-90ad-853b16cedeec\"}], \"SharePointMetaData\": {\"From\": \"ASR@TESTSIEM2.ONMICROSOFT.COM\", \"FilePathUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx\", \"ItemLastModifiedTime\": \"2020-02-25T16:19:43\", \"ItemCreationTime\": \"2020-02-25T15:22:49\", \"FileName\": \"Customers Financial Data.docx\", \"SiteCollectionGuid\": \"eae3edad-a192-43a9-b317-98d7ea5e3939\", \"UniqueID\": \"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\", \"FileOwner\": \"Alan Smithee\", \"SiteCollectionUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\"}, \"UserKey\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"Operation\": \"DLPRuleMatch\", \"IncidentId\": \"3066c3c5-eb56-dd03-b000-08d7ba115afd\", \"Id\": \"a21f13b9-22b6-405b-bf9e-a07ad8d456da\", \"RecordType\": 11}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", "kind": "alert", @@ -113,6 +117,9 @@ "url": { "original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "RecordType": "11", @@ -176,7 +183,7 @@ "name": "Customers Financial Data Copy.docx" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -191,7 +198,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-02T06:59:52.997661300Z", + "ingested": "2021-06-09T12:48:02.532160Z", + "original": "{\"Workload\": \"OneDrive\", \"SensitiveInfoDetectionIsIncluded\": false, \"ObjectId\": \"856386d5-c9cd-46e9-b53b-fd01ed590b68\", \"OrganizationId\": \"0e1dddce-163e-4b0b-9e33-87ba56ac4655\", \"UserId\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"CreationTime\": \"2020-02-25T16:23:39\", \"UserType\": 4, \"Version\": 1, \"PolicyDetails\": [{\"Rules\": [{\"Severity\": \"High\", \"RuleId\": \"7503b92a-67c2-494b-8a46-57ef0d738886\", \"ConditionsMatched\": {\"SensitiveInformation\": [{\"Count\": 12, \"Confidence\": 85, \"SensitiveType\": \"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"}, {\"Count\": 1, \"Confidence\": 75, \"SensitiveType\": \"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]}, \"Actions\": [\"BlockAccess\", \"NotifyUser\", \"GenerateIncidentReport\"], \"RuleName\": \"High volume of content detected U.S. Financial\", \"ActionParameters\": [\"GenerateIncidentReport:SiteAdmin\"], \"RuleMode\": \"Enable\"}], \"PolicyName\": \"U.S. Financial Data\", \"PolicyId\": \"a15b4790-085f-43c1-90ad-853b16cedeec\"}], \"SharePointMetaData\": {\"From\": \"ASR@TESTSIEM2.ONMICROSOFT.COM\", \"FilePathUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx\", \"ItemLastModifiedTime\": \"2020-02-25T16:21:44\", \"SiteCollectionUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\", \"ItemCreationTime\": \"2020-02-25T16:21:50\", \"FileName\": \"Customers Financial Data Copy.docx\", \"SiteCollectionGuid\": \"eae3edad-a192-43a9-b317-98d7ea5e3939\", \"UniqueID\": \"856386d5-c9cd-46e9-b53b-fd01ed590b68\", \"FileOwner\": \"Alan Smithee\"}, \"UserKey\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"Operation\": \"DLPRuleMatch\", \"IncidentId\": \"eeeb7b44-fc69-c19f-b000-08d7ba115afd\", \"Id\": \"eb8259c8-d2c2-449d-bd35-5c8a033eb629\", \"RecordType\": 11}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", "kind": "alert", @@ -223,6 +231,9 @@ "url": { "original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "RecordType": "11", @@ -282,7 +293,7 @@ "name": "Customers Financial Data Copy.docx" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -297,7 +308,8 @@ }, "event": { "severity": 2, - "ingested": "2021-06-02T06:59:52.997665Z", + "ingested": "2021-06-09T12:48:02.532163800Z", + "original": "{\"Workload\": \"OneDrive\", \"RecordType\": 11, \"ObjectId\": \"856386d5-c9cd-46e9-b53b-fd01ed590b68\", \"OrganizationId\": \"0e1dddce-163e-4b0b-9e33-87ba56ac4655\", \"UserId\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"CreationTime\": \"2020-02-25T16:23:39\", \"UserType\": 4, \"Version\": 1, \"PolicyDetails\": [{\"Rules\": [{\"Severity\": \"Low\", \"RuleId\": \"c5981414-9f1f-4275-a2df-2fbfb1d03795\", \"ConditionsMatched\": {\"SensitiveInformation\": [{\"Count\": 12, \"Confidence\": 85, \"SensitiveType\": \"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"}, {\"Count\": 1, \"Confidence\": 75, \"SensitiveType\": \"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]}, \"Actions\": [\"NotifyUser\"], \"RuleName\": \"Low volume of content detected U.S. Financial\", \"ActionParameters\": [], \"RuleMode\": \"Enable\"}], \"PolicyName\": \"U.S. Financial Data\", \"PolicyId\": \"a15b4790-085f-43c1-90ad-853b16cedeec\"}], \"SharePointMetaData\": {\"From\": \"ASR@TESTSIEM2.ONMICROSOFT.COM\", \"FilePathUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx\", \"ItemLastModifiedTime\": \"2020-02-25T16:21:44\", \"ItemCreationTime\": \"2020-02-25T16:21:50\", \"FileName\": \"Customers Financial Data Copy.docx\", \"SiteCollectionGuid\": \"eae3edad-a192-43a9-b317-98d7ea5e3939\", \"UniqueID\": \"856386d5-c9cd-46e9-b53b-fd01ed590b68\", \"FileOwner\": \"Alan Smithee\", \"SiteCollectionUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\"}, \"UserKey\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"Operation\": \"DLPRuleMatch\", \"IncidentId\": \"eeeb7b44-fc69-c19f-b000-08d7ba115afd\", \"Id\": \"50a90c83-7e15-4679-8778-d9dd30927e66\", \"SensitiveInfoDetectionIsIncluded\": false}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", "kind": "alert", @@ -329,6 +341,9 @@ "url": { "original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "RecordType": "11", @@ -392,7 +407,7 @@ "name": "Customers Financial Data.docx" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -407,7 +422,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-02T06:59:52.997668100Z", + "ingested": "2021-06-09T12:48:02.532166800Z", + "original": "{\"Workload\": \"OneDrive\", \"RecordType\": 11, \"ObjectId\": \"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\", \"OrganizationId\": \"0e1dddce-163e-4b0b-9e33-87ba56ac4655\", \"CreationTime\": \"2020-02-25T16:22:22\", \"UserId\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"UserType\": 4, \"Version\": 1, \"PolicyDetails\": [{\"Rules\": [{\"Severity\": \"High\", \"RuleId\": \"7503b92a-67c2-494b-8a46-57ef0d738886\", \"ConditionsMatched\": {\"SensitiveInformation\": [{\"Count\": 12, \"Confidence\": 85, \"SensitiveType\": \"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"}, {\"Count\": 1, \"Confidence\": 75, \"SensitiveType\": \"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]}, \"Actions\": [\"BlockAccess\", \"NotifyUser\", \"GenerateIncidentReport\"], \"RuleName\": \"High volume of content detected U.S. Financial\", \"ActionParameters\": [\"GenerateIncidentReport:SiteAdmin\"], \"RuleMode\": \"Enable\"}], \"PolicyName\": \"U.S. Financial Data\", \"PolicyId\": \"a15b4790-085f-43c1-90ad-853b16cedeec\"}], \"SharePointMetaData\": {\"From\": \"ASR@TESTSIEM2.ONMICROSOFT.COM\", \"FilePathUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx\", \"ItemLastModifiedTime\": \"2020-02-25T16:21:44\", \"ItemCreationTime\": \"2020-02-25T15:22:49\", \"SiteCollectionUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\", \"SiteCollectionGuid\": \"eae3edad-a192-43a9-b317-98d7ea5e3939\", \"UniqueID\": \"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\", \"FileOwner\": \"Alan Smithee\", \"FileName\": \"Customers Financial Data.docx\"}, \"UserKey\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"Operation\": \"DLPRuleMatch\", \"IncidentId\": \"3066c3c5-eb56-dd03-b000-08d7ba115afd\", \"Id\": \"59652f9a-087c-4b65-b88c-b293ade34202\", \"SensitiveInfoDetectionIsIncluded\": false}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", "kind": "alert", @@ -439,6 +455,9 @@ "url": { "original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/INTERNAL%20CREDIT%20CARD%20NUMBERS.docx" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "RecordType": "11", @@ -502,7 +521,7 @@ "name": "INTERNAL CREDIT CARD NUMBERS.docx" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -517,7 +536,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-02T06:59:52.997671Z", + "ingested": "2021-06-09T12:48:02.532170100Z", + "original": "{\"Workload\": \"OneDrive\", \"RecordType\": 11, \"ObjectId\": \"f026407b-090a-4c15-99b5-09851842d96d\", \"OrganizationId\": \"0e1dddce-163e-4b0b-9e33-87ba56ac4655\", \"UserId\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"CreationTime\": \"2020-02-26T10:13:48\", \"UserType\": 4, \"Version\": 1, \"PolicyDetails\": [{\"Rules\": [{\"Severity\": \"High\", \"RuleId\": \"bc4d376f-b038-4695-9362-609d32f963cf\", \"ConditionsMatched\": {\"SensitiveInformation\": [{\"Count\": 42, \"Confidence\": 85, \"SensitiveType\": \"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"}, {\"Count\": 23, \"Confidence\": 85, \"SensitiveType\": \"0e9b3178-9678-47dd-a509-37222ca96b42\"}]}, \"Actions\": [\"BlockAccess\", \"NotifyUser\", \"GenerateIncidentReport\"], \"RuleName\": \"High volume of content detected France Financial\", \"ActionParameters\": [\"GenerateIncidentReport:SiteAdmin\"], \"RuleMode\": \"Enable\"}], \"PolicyName\": \"Financial Data Detection\", \"PolicyId\": \"08745d02-5d45-48bd-98e1-8199ab1efdbe\"}], \"SharePointMetaData\": {\"From\": \"ASR@TESTSIEM2.ONMICROSOFT.COM\", \"FilePathUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/INTERNAL%20CREDIT%20CARD%20NUMBERS.docx\", \"ItemLastModifiedTime\": \"2020-02-26T09:46:23\", \"SiteCollectionUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\", \"ItemCreationTime\": \"2020-02-26T09:44:40\", \"FileName\": \"INTERNAL CREDIT CARD NUMBERS.docx\", \"SiteCollectionGuid\": \"eae3edad-a192-43a9-b317-98d7ea5e3939\", \"UniqueID\": \"f026407b-090a-4c15-99b5-09851842d96d\", \"FileOwner\": \"Alan Smithee\"}, \"UserKey\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"Operation\": \"DLPRuleMatch\", \"IncidentId\": \"f7295114-e601-f2b6-8800-08d7baa56f8b\", \"Id\": \"d69c6758-f210-43bd-bac1-563adef4b4cf\", \"SensitiveInfoDetectionIsIncluded\": false}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", "kind": "alert", @@ -549,6 +569,9 @@ "url": { "original": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "RecordType": "11", @@ -612,7 +635,7 @@ "name": "Document.docx" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -627,7 +650,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-02T06:59:52.997674Z", + "ingested": "2021-06-09T12:48:02.532172800Z", + "original": "{\"Workload\": \"SharePoint\", \"SensitiveInfoDetectionIsIncluded\": false, \"OrganizationId\": \"0e1dddce-163e-4b0b-9e33-87ba56ac4655\", \"UserId\": \"DLPAgent\", \"CreationTime\": \"2020-02-26T12:39:40\", \"UserType\": 4, \"Version\": 1, \"PolicyDetails\": [{\"Rules\": [{\"Severity\": \"High\", \"RuleId\": \"121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd\", \"RuleName\": \"Low volume of content detected France Financial\", \"Actions\": [\"NotifyUser\", \"GenerateAlert\"], \"ConditionsMatched\": {\"SensitiveInformation\": [{\"Count\": 42, \"Confidence\": 85, \"SensitiveType\": \"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"}, {\"Count\": 2, \"Confidence\": 85, \"SensitiveType\": \"0e9b3178-9678-47dd-a509-37222ca96b42\"}]}, \"ActionParameters\": [\"GenerateAlert:asr@testsiem2.onmicrosoft.com\"], \"RuleMode\": \"Enable\"}], \"PolicyName\": \"Financial Data Detection\", \"PolicyId\": \"08745d02-5d45-48bd-98e1-8199ab1efdbe\"}], \"SharePointMetaData\": {\"From\": \"alice@testsiem2.onmicrosoft.com\", \"UniqueID\": \"3ace820e-9358-4520-9df6-5bd65602cef0\", \"FilePathUrl\": \"https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx\", \"ItemLastModifiedTime\": \"2020-02-26T09:56:12\", \"SiteCollectionUrl\": \"https://testsiem2.sharepoint.com/sites/Internalcommunications\", \"ItemCreationTime\": \"2020-02-26T09:55:38\", \"SiteCollectionGuid\": \"4aaa3319-df17-4ea0-a142-42cf204cfc62\", \"FileSize\": 35920, \"IsViewableByExternalUsers\": false, \"FileOwner\": \"alice@testsiem2.onmicrosoft.com\", \"FileName\": \"Document.docx\"}, \"UserKey\": \"DLPAgent\", \"Operation\": \"DLPRuleMatch\", \"IncidentId\": \"0ae82be2-e321-ab52-d000-08d7bab8fe55\", \"Id\": \"93585ace-96eb-4af1-fdb2-08d7bab8f2bd\", \"RecordType\": 11}", "code": "ComplianceDLPSharePoint", "provider": "SharePoint", "kind": "alert", @@ -659,6 +683,9 @@ "url": { "original": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "RecordType": "11", @@ -722,7 +749,7 @@ "name": "Document.docx" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -737,7 +764,8 @@ }, "event": { "severity": 4, - "ingested": "2021-06-02T06:59:52.997676800Z", + "ingested": "2021-06-09T12:48:02.532175600Z", + "original": "{\"Workload\": \"SharePoint\", \"SensitiveInfoDetectionIsIncluded\": false, \"OrganizationId\": \"0e1dddce-163e-4b0b-9e33-87ba56ac4655\", \"UserId\": \"DLPAgent\", \"CreationTime\": \"2020-02-26T12:39:40\", \"UserType\": 4, \"Version\": 1, \"PolicyDetails\": [{\"Rules\": [{\"Severity\": \"High\", \"RuleId\": \"121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd\", \"ConditionsMatched\": {\"SensitiveInformation\": [{\"Count\": 42, \"Confidence\": 85, \"SensitiveType\": \"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"}, {\"Count\": 2, \"Confidence\": 85, \"SensitiveType\": \"0e9b3178-9678-47dd-a509-37222ca96b42\"}]}, \"Actions\": [\"NotifyUser\", \"GenerateAlert\"], \"RuleName\": \"Low volume of content detected France Financial\", \"ActionParameters\": [\"GenerateAlert:asr@testsiem2.onmicrosoft.com\"], \"RuleMode\": \"Enable\"}], \"PolicyName\": \"Financial Data Detection\", \"PolicyId\": \"08745d02-5d45-48bd-98e1-8199ab1efdbe\"}], \"SharePointMetaData\": {\"From\": \"alice@testsiem2.onmicrosoft.com\", \"IsViewableByExternalUsers\": false, \"FilePathUrl\": \"https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx\", \"ItemLastModifiedTime\": \"2020-02-26T09:56:12\", \"SiteCollectionUrl\": \"https://testsiem2.sharepoint.com/sites/Internalcommunications\", \"ItemCreationTime\": \"2020-02-26T09:55:38\", \"FileName\": \"Document.docx\", \"SiteCollectionGuid\": \"4aaa3319-df17-4ea0-a142-42cf204cfc62\", \"FileSize\": 35920, \"UniqueID\": \"3ace820e-9358-4520-9df6-5bd65602cef0\", \"FileOwner\": \"alice@testsiem2.onmicrosoft.com\"}, \"UserKey\": \"DLPAgent\", \"Operation\": \"DLPRuleMatch\", \"IncidentId\": \"0ae82be2-e321-ab52-d000-08d7bab8fe55\", \"Id\": \"93585ace-96eb-4af1-fdb2-08d7bab8f2bd\", \"RecordType\": 11}", "code": "ComplianceDLPSharePoint", "provider": "SharePoint", "kind": "alert", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin.log-config.yml b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin.log-config.yml deleted file mode 100644 index c45be4757bd..00000000000 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin.log-config.yml +++ /dev/null @@ -1,7 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - "@timestamp": "2020-04-28T11:07:58.223Z" - "_conf": - "tenants": - "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd": "mytenant.onmicrosoft.com" diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin.log-expected.json index 6edb59b1691..69def7bb68b 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin.log-expected.json @@ -9,6 +9,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -30,7 +33,7 @@ }, "@timestamp": "2020-02-07T20:49:49.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -46,7 +49,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229167Z", + "ingested": "2021-06-09T12:48:02.763201500Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:49\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -73,6 +77,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -107,7 +114,7 @@ }, "@timestamp": "2020-02-10T07:37:14.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -123,7 +130,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229185700Z", + "ingested": "2021-06-09T12:48:02.763217400Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"6c3454e1-1a13-411b-bed1-08d7adfc0c09\", \"CreationTime\": \"2020-02-10T07:37:14\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -150,6 +158,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -184,7 +195,7 @@ }, "@timestamp": "2020-02-07T20:49:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -200,7 +211,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229189600Z", + "ingested": "2021-06-09T12:48:02.763222Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"b5131b23-3efb-481a-c05b-08d7ac0f2a82\", \"CreationTime\": \"2020-02-07T20:49:03\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -227,6 +239,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -248,7 +263,7 @@ }, "@timestamp": "2020-02-10T07:37:09.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -264,7 +279,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229192400Z", + "ingested": "2021-06-09T12:48:02.763225100Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"testsiem.onmicrosoft.com\\\\2c6709f0-beaf-4ffd-99ea-d02c796c25d3\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Organization\", \"Value\": \"testsiem.onmicrosoft.com\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Install-DefaultSharingPolicy\", \"Id\": \"ef597809-1c52-4a85-7cce-08d7adfc0939\", \"CreationTime\": \"2020-02-10T07:37:09\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -291,6 +307,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -312,7 +331,7 @@ }, "@timestamp": "2020-02-10T07:37:09.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -328,7 +347,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229195100Z", + "ingested": "2021-06-09T12:48:02.763228Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Organization\", \"Value\": \"testsiem.onmicrosoft.com\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Install-AdminAuditLogConfig\", \"Id\": \"362ff802-6df6-47e5-09a2-08d7adfc095b\", \"CreationTime\": \"2020-02-10T07:37:09\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -355,6 +375,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -377,7 +400,7 @@ }, "@timestamp": "2020-02-10T07:37:13.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -393,7 +416,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229197600Z", + "ingested": "2021-06-09T12:48:02.763230600Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Transport Settings\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-10T07:37:13\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\"}, {\"Name\": \"OrganizationFederatedMailbox\", \"Value\": \"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-TransportConfig\", \"Id\": \"ea769bfc-fa67-465c-767a-08d7adfc0b7b\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -420,6 +444,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -443,7 +470,7 @@ }, "@timestamp": "2020-02-07T20:48:43.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -459,7 +486,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229200300Z", + "ingested": "2021-06-09T12:48:02.763233300Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\"}, {\"Name\": \"UMDataStorage\", \"Value\": \"True\"}, {\"Name\": \"Force\", \"Value\": \"True\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\", \"Id\": \"168019d2-1e8a-4394-e90b-08d7ac0f1e69\", \"CreationTime\": \"2020-02-07T20:48:43\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -486,6 +514,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -507,7 +538,7 @@ }, "@timestamp": "2020-02-07T20:49:34.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -523,7 +554,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229203Z", + "ingested": "2021-06-09T12:48:02.763236Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"InstantMessagingType\", \"Value\": \"Ocs\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:34\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-OwaMailboxPolicy\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\", \"Id\": \"0d7995da-038f-40d9-2765-08d7ac0f3d4d\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -550,6 +582,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -584,7 +619,7 @@ }, "@timestamp": "2020-02-07T20:49:20.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -600,7 +635,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229205600Z", + "ingested": "2021-06-09T12:48:02.763238700Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-07T20:49:20\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"Id\": \"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -627,6 +663,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -661,7 +700,7 @@ }, "@timestamp": "2020-02-10T07:37:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -677,7 +716,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229208200Z", + "ingested": "2021-06-09T12:48:02.763241500Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:17\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Id\": \"2202ec45-7abc-49dd-e35e-08d7adfc0e15\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -704,6 +744,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -726,7 +769,7 @@ }, "@timestamp": "2020-02-07T20:48:04.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -742,7 +785,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229210800Z", + "ingested": "2021-06-09T12:48:02.763244300Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"DoNotUpdateRecipients\", \"Value\": \"True\"}, {\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}], \"ObjectId\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-07T20:48:04\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Operation\": \"Enable-AddressListPaging\", \"Id\": \"a0063917-bb25-4c17-fe2e-08d7ac0f0769\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -769,6 +813,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -803,7 +850,7 @@ }, "@timestamp": "2020-02-07T20:48:58.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -819,7 +866,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229213500Z", + "ingested": "2021-06-09T12:48:02.763247600Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"RecordType\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:48:58\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"a324e83b-d1a3-4855-db2a-08d7ac0f277b\", \"OrganizationName\": \"testsiem.onmicrosoft.com\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -846,6 +894,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -880,7 +931,7 @@ }, "@timestamp": "2020-02-10T07:37:15.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -896,7 +947,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229216Z", + "ingested": "2021-06-09T12:48:02.763250300Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:15\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Id\": \"ebda487f-6177-432a-e91d-08d7adfc0d0d\", \"OrganizationName\": \"testsiem.onmicrosoft.com\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -923,6 +975,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -957,7 +1012,7 @@ }, "@timestamp": "2020-02-07T20:49:09.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -973,7 +1028,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229218600Z", + "ingested": "2021-06-09T12:48:02.763252900Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"RecordType\": 1, \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:09\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Id\": \"7dafe4a3-487a-46ec-dadc-08d7ac0f2e06\", \"OrganizationName\": \"testsiem.onmicrosoft.com\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1000,6 +1056,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -1034,7 +1093,7 @@ }, "@timestamp": "2020-02-10T07:37:15.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1050,7 +1109,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229253700Z", + "ingested": "2021-06-09T12:48:02.763255600Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"Version\": 1, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Workload\": \"Exchange\", \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"7b5e608f-0a09-4251-8922-08d7adfc0d15\", \"CreationTime\": \"2020-02-10T07:37:15\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1077,6 +1137,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -1111,7 +1174,7 @@ }, "@timestamp": "2020-02-07T20:49:09.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1127,7 +1190,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229262Z", + "ingested": "2021-06-09T12:48:02.763258300Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:49:09\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"7dafe4a3-487a-46ec-dadc-08d7ac0f2e06\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1154,6 +1218,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -1188,7 +1255,7 @@ }, "@timestamp": "2020-02-10T07:37:18.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1204,7 +1271,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229266300Z", + "ingested": "2021-06-09T12:48:02.763304400Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"TenantAllowBlockLists\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"a4912729-9b49-43b3-d21f-08d7adfc0e8e\", \"CreationTime\": \"2020-02-10T07:37:18\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1231,6 +1299,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -1252,7 +1323,7 @@ }, "@timestamp": "2020-02-07T20:49:55.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1268,7 +1339,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229269300Z", + "ingested": "2021-06-09T12:48:02.763313600Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"ObjectId\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:49:55\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-TenantObjectVersion\", \"Id\": \"514d0e07-410f-469c-a7f9-08d7ac0f496e\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1295,6 +1367,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -1317,7 +1392,7 @@ }, "@timestamp": "2020-02-10T07:37:13.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1333,7 +1408,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229272200Z", + "ingested": "2021-06-09T12:48:02.763318Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Transport Settings\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\"}, {\"Name\": \"OrganizationFederatedMailbox\", \"Value\": \"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-TransportConfig\", \"Id\": \"ea769bfc-fa67-465c-767a-08d7adfc0b7b\", \"CreationTime\": \"2020-02-10T07:37:13\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1360,6 +1436,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -1382,7 +1461,7 @@ }, "@timestamp": "2020-02-10T07:37:08.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1398,7 +1477,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229274800Z", + "ingested": "2021-06-09T12:48:02.763321100Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}, {\"Name\": \"SupervisionTags\", \"Value\": \"Reject;Allow\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-TransportConfig\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Transport Settings\", \"Id\": \"e022fa0d-13b2-4314-b707-08d7adfc0868\", \"CreationTime\": \"2020-02-10T07:37:08\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1425,6 +1505,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -1446,7 +1529,7 @@ }, "@timestamp": "2020-02-07T20:49:55.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1462,7 +1545,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229277300Z", + "ingested": "2021-06-09T12:48:02.763323900Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-TenantObjectVersion\", \"ObjectId\": \"testsiem.onmicrosoft.com\", \"Id\": \"514d0e07-410f-469c-a7f9-08d7ac0f496e\", \"CreationTime\": \"2020-02-07T20:49:55\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1489,6 +1573,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -1511,7 +1598,7 @@ }, "@timestamp": "2020-02-07T20:48:52.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1527,7 +1614,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229279700Z", + "ingested": "2021-06-09T12:48:02.763327900Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\"}, {\"Name\": \"OrganizationFederatedMailbox\", \"Value\": \"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:48:52\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-TransportConfig\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Transport Settings\", \"Id\": \"8a3c4f54-f2de-4717-dd56-08d7ac0f23be\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1554,6 +1642,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -1588,7 +1679,7 @@ }, "@timestamp": "2020-02-07T20:48:49.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1604,7 +1695,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229282200Z", + "ingested": "2021-06-09T12:48:02.763330800Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"OMEncryptionStore\", \"Value\": \"True\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:48:49\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\", \"Id\": \"9eb764a6-fee5-4c3a-6adc-08d7ac0f220f\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1631,6 +1723,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -1665,7 +1760,7 @@ }, "@timestamp": "2020-02-10T07:37:18.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1681,7 +1776,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229284900Z", + "ingested": "2021-06-09T12:48:02.763333600Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"TenantAllowBlockLists\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:18\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\", \"Id\": \"a4912729-9b49-43b3-d21f-08d7adfc0e8e\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1708,6 +1804,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -1742,7 +1841,7 @@ }, "@timestamp": "2020-02-07T20:48:56.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1758,7 +1857,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229287400Z", + "ingested": "2021-06-09T12:48:02.763336200Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:48:56\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"Id\": \"d83e97f0-951c-4ccc-630e-08d7ac0f267e\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1785,6 +1885,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -1819,7 +1922,7 @@ }, "@timestamp": "2020-02-10T07:37:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1835,7 +1938,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229289900Z", + "ingested": "2021-06-09T12:48:02.763338900Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:17\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"Id\": \"2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1862,6 +1966,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -1896,7 +2003,7 @@ }, "@timestamp": "2020-02-07T20:48:57.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1912,7 +2019,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229292400Z", + "ingested": "2021-06-09T12:48:02.763341700Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"Id\": \"165a283d-6f9b-4dc2-1b86-08d7ac0f273c\", \"CreationTime\": \"2020-02-07T20:48:57\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -1939,6 +2047,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -1973,7 +2084,7 @@ }, "@timestamp": "2020-02-07T20:49:16.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -1989,7 +2100,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229294800Z", + "ingested": "2021-06-09T12:48:02.763344300Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Id\": \"979931d3-c99d-45b1-14e1-08d7ac0f3209\", \"CreationTime\": \"2020-02-07T20:49:16\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2016,6 +2128,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -2050,7 +2165,7 @@ }, "@timestamp": "2020-02-07T20:49:20.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2066,7 +2181,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229297400Z", + "ingested": "2021-06-09T12:48:02.763346800Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:49:20\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\", \"Id\": \"4bddac31-664e-4432-d181-08d7ac0f34d2\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2093,6 +2209,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -2127,7 +2246,7 @@ }, "@timestamp": "2020-02-07T20:49:14.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2143,7 +2262,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229300Z", + "ingested": "2021-06-09T12:48:02.763349400Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\", \"Id\": \"4d2e1010-489d-4aa0-e300-08d7ac0f314c\", \"CreationTime\": \"2020-02-07T20:49:14\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2170,6 +2290,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -2206,7 +2329,7 @@ }, "@timestamp": "2020-02-07T20:48:44.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2222,7 +2345,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229302600Z", + "ingested": "2021-06-09T12:48:02.763352Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:48:44\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"Management\", \"Value\": \"True\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"DisplayName\", \"Value\": \"Microsoft Exchange Migration\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"9 GB (9,663,676,416 bytes)\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"Migration\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"e79cb83c-25b7-4777-57f0-08d7ac0f1f74\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2249,6 +2373,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -2283,7 +2410,7 @@ }, "@timestamp": "2020-02-10T07:37:14.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2299,7 +2426,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229305100Z", + "ingested": "2021-06-09T12:48:02.763354800Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"ClientAppId\": \"\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"Version\": 1, \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Workload\": \"Exchange\", \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"ee2a5c48-f068-4672-3e34-08d7adfc0bf4\", \"CreationTime\": \"2020-02-10T07:37:14\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2326,6 +2454,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -2360,7 +2491,7 @@ }, "@timestamp": "2020-02-10T07:37:14.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2376,7 +2507,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229307900Z", + "ingested": "2021-06-09T12:48:02.763357400Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:14\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"d3533d4d-f62f-4731-d0c9-08d7adfc0c7b\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2403,6 +2535,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -2437,7 +2572,7 @@ }, "@timestamp": "2020-02-07T20:49:20.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2453,7 +2588,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229310400Z", + "ingested": "2021-06-09T12:48:02.763360200Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\", \"CreationTime\": \"2020-02-07T20:49:20\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2480,6 +2616,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -2514,7 +2653,7 @@ }, "@timestamp": "2020-02-07T20:49:08.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2530,7 +2669,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229313500Z", + "ingested": "2021-06-09T12:48:02.763362900Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:49:08\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"bc03d223-966c-4e33-6cf7-08d7ac0f2d88\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2557,6 +2697,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -2591,7 +2734,7 @@ }, "@timestamp": "2020-02-07T20:49:20.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2607,7 +2750,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229315900Z", + "ingested": "2021-06-09T12:48:02.763365700Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\", \"CreationTime\": \"2020-02-07T20:49:20\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2634,6 +2778,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -2668,7 +2815,7 @@ }, "@timestamp": "2020-02-07T20:49:09.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2684,7 +2831,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229318400Z", + "ingested": "2021-06-09T12:48:02.763368500Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:09\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"7a500a7f-cc56-4dfd-d740-08d7ac0f2e45\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2711,6 +2859,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -2745,7 +2896,7 @@ }, "@timestamp": "2020-02-07T20:49:10.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2761,7 +2912,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229320900Z", + "ingested": "2021-06-09T12:48:02.763371300Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-07T20:49:10\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"6047e3da-8661-44a4-6fd2-08d7ac0f2e85\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2788,6 +2940,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -2822,7 +2977,7 @@ }, "@timestamp": "2020-02-07T20:49:21.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2838,7 +2993,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229323400Z", + "ingested": "2021-06-09T12:48:02.763373900Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"a61cdc9a-89ef-402b-102c-08d7ac0f3592\", \"CreationTime\": \"2020-02-07T20:49:21\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2865,6 +3021,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -2899,7 +3058,7 @@ }, "@timestamp": "2020-02-10T07:37:14.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2915,7 +3074,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229326200Z", + "ingested": "2021-06-09T12:48:02.763376500Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"d16f181c-257c-4d40-45e1-08d7adfc0c02\", \"CreationTime\": \"2020-02-10T07:37:14\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -2942,6 +3102,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -2973,7 +3136,7 @@ }, "@timestamp": "2020-02-07T20:48:42.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -2989,7 +3152,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229328800Z", + "ingested": "2021-06-09T12:48:02.763382500Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"UMGrammar\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"MaxSendSize\", \"Value\": \"1 GB (1,073,741,824 bytes)\"}, {\"Name\": \"MailRouting\", \"Value\": \"True\"}, {\"Name\": \"MessageTracking\", \"Value\": \"True\"}, {\"Name\": \"OMEncryption\", \"Value\": \"True\"}, {\"Name\": \"OABGen\", \"Value\": \"True\"}, {\"Name\": \"ClientExtensions\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\"}, {\"Name\": \"GMGen\", \"Value\": \"True\"}, {\"Name\": \"SuiteServiceStorage\", \"Value\": \"True\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6\", \"CreationTime\": \"2020-02-07T20:48:42\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3016,6 +3180,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -3039,7 +3206,7 @@ }, "@timestamp": "2020-02-07T20:49:55.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3055,7 +3222,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229331300Z", + "ingested": "2021-06-09T12:48:02.763385700Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}, {\"Name\": \"AdminAuditLogEnabled\", \"Value\": \"True\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:55\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-AdminAuditLogConfig\", \"Id\": \"0caecd44-0161-44e5-0e45-08d7ac0f49d6\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3082,6 +3250,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -3104,7 +3275,7 @@ }, "@timestamp": "2020-02-07T20:49:52.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3120,7 +3291,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229333900Z", + "ingested": "2021-06-09T12:48:02.763388700Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Transport Settings\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:49:52\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\"}, {\"Name\": \"HygieneSuite\", \"Value\": \"Premium\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-TransportConfig\", \"Id\": \"fd804781-7d7f-4d3a-1ef0-08d7ac0f47e4\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3147,6 +3319,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -3169,7 +3344,7 @@ }, "@timestamp": "2020-02-07T20:48:52.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3185,7 +3360,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229336300Z", + "ingested": "2021-06-09T12:48:02.763391200Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Transport Settings\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\"}, {\"Name\": \"OrganizationFederatedMailbox\", \"Value\": \"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}], \"Workload\": \"Exchange\", \"UserType\": 3, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:48:52\", \"ClientAppId\": \"\", \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-TransportConfig\", \"Id\": \"8a3c4f54-f2de-4717-dd56-08d7ac0f23be\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3212,6 +3388,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -3234,7 +3413,7 @@ }, "@timestamp": "2020-02-07T20:48:06.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3250,7 +3429,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229338900Z", + "ingested": "2021-06-09T12:48:02.763394Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Organization\", \"Value\": \"testsiem.onmicrosoft.com\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}], \"ObjectId\": \"testsiem.onmicrosoft.com\\\\ExchangeAssistance\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"New-ExchangeAssistanceConfig\", \"Id\": \"627aa8ff-1411-475d-d202-08d7ac0f08a5\", \"CreationTime\": \"2020-02-07T20:48:06\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3277,6 +3457,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -3313,7 +3496,7 @@ }, "@timestamp": "2020-02-10T07:37:12.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3329,7 +3512,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229341500Z", + "ingested": "2021-06-09T12:48:02.763396600Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"Management\", \"Value\": \"True\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"DisplayName\", \"Value\": \"Microsoft Exchange Migration\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"9 GB (9,663,676,416 bytes)\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"Migration\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:12\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\", \"Id\": \"425128e3-4281-42f6-4ec7-08d7adfc0acd\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3356,6 +3540,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -3390,7 +3577,7 @@ }, "@timestamp": "2020-02-10T07:37:18.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3406,7 +3593,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229344Z", + "ingested": "2021-06-09T12:48:02.763399200Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"TenantAllowBlockLists\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:18\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\", \"Id\": \"a4912729-9b49-43b3-d21f-08d7adfc0e8e\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3433,6 +3621,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -3467,7 +3658,7 @@ }, "@timestamp": "2020-02-07T20:49:21.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3483,7 +3674,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229346500Z", + "ingested": "2021-06-09T12:48:02.763401700Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:21\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Id\": \"a61cdc9a-89ef-402b-102c-08d7ac0f3592\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3510,6 +3702,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -3544,7 +3739,7 @@ }, "@timestamp": "2020-02-10T07:37:15.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3560,7 +3755,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229349100Z", + "ingested": "2021-06-09T12:48:02.763404500Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Id\": \"8126fd52-b16b-45c5-6aff-08d7adfc0c97\", \"CreationTime\": \"2020-02-10T07:37:15\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3587,6 +3783,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -3621,7 +3820,7 @@ }, "@timestamp": "2020-02-10T07:37:14.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3637,7 +3836,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229351700Z", + "ingested": "2021-06-09T12:48:02.763407Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:14\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\", \"Id\": \"70f24b65-0224-473b-49b8-08d7adfc0c83\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3664,6 +3864,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -3698,7 +3901,7 @@ }, "@timestamp": "2020-02-10T07:37:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3714,7 +3917,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229354300Z", + "ingested": "2021-06-09T12:48:02.763409800Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\", \"Id\": \"515c88f2-2cbf-4214-2d9b-08d7adfc0e0f\", \"CreationTime\": \"2020-02-10T07:37:17\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3741,6 +3945,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -3775,7 +3982,7 @@ }, "@timestamp": "2020-02-07T20:48:57.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3791,7 +3998,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229356800Z", + "ingested": "2021-06-09T12:48:02.763412300Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-07T20:48:57\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\", \"Id\": \"02c7f756-40e0-4c47-d49d-08d7ac0f26bd\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3818,6 +4026,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -3852,7 +4063,7 @@ }, "@timestamp": "2020-02-07T20:49:02.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3868,7 +4079,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229359500Z", + "ingested": "2021-06-09T12:48:02.763414900Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:49:02\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"40786a66-fbd5-4a24-d9af-08d7ac0f2a42\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3895,6 +4107,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -3929,7 +4144,7 @@ }, "@timestamp": "2020-02-10T07:37:15.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -3945,7 +4160,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229362Z", + "ingested": "2021-06-09T12:48:02.763418Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Id\": \"ebda487f-6177-432a-e91d-08d7adfc0d0d\", \"CreationTime\": \"2020-02-10T07:37:15\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -3972,6 +4188,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -4006,7 +4225,7 @@ }, "@timestamp": "2020-02-07T20:48:51.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4022,7 +4241,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229365800Z", + "ingested": "2021-06-09T12:48:02.763420900Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"DisplayName\", \"Value\": \"Microsoft Exchange\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"9 GB (9,663,676,416 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:48:51\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\", \"Id\": \"93d5f028-263c-45f1-dcf9-08d7ac0f2378\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4049,6 +4269,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -4083,7 +4306,7 @@ }, "@timestamp": "2020-02-10T07:37:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4099,7 +4322,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229368600Z", + "ingested": "2021-06-09T12:48:02.763423600Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:17\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Id\": \"1eea5379-4c86-4d6f-00cf-08d7adfc0e23\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4126,6 +4350,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -4160,7 +4387,7 @@ }, "@timestamp": "2020-02-10T07:37:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4176,7 +4403,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229371200Z", + "ingested": "2021-06-09T12:48:02.763426100Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:17\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Id\": \"2202ec45-7abc-49dd-e35e-08d7adfc0e15\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4203,6 +4431,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -4226,7 +4457,7 @@ }, "@timestamp": "2020-02-10T07:37:23.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4242,7 +4473,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229373800Z", + "ingested": "2021-06-09T12:48:02.763428800Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:23\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"}, {\"Name\": \"PublicFolderHierarchyMailboxCountQuota\", \"Value\": \"100\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-RecipientEnforcementProvisioningPolicy\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\", \"Id\": \"80d8b808-c24c-4359-24cf-08d7adfc11e3\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4269,6 +4501,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -4292,7 +4527,7 @@ }, "@timestamp": "2020-02-10T07:37:24.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4308,7 +4543,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229376300Z", + "ingested": "2021-06-09T12:48:02.763431400Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:24\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}, {\"Name\": \"AdminAuditLogEnabled\", \"Value\": \"True\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-AdminAuditLogConfig\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\", \"Id\": \"9edbf9fe-f844-401f-e9ec-08d7adfc1242\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4335,6 +4571,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -4369,7 +4608,7 @@ }, "@timestamp": "2020-02-10T07:37:15.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4385,7 +4624,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229378800Z", + "ingested": "2021-06-09T12:48:02.763434Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:15\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"Id\": \"7b5e608f-0a09-4251-8922-08d7adfc0d15\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4412,6 +4652,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -4446,7 +4689,7 @@ }, "@timestamp": "2020-02-10T07:37:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4462,7 +4705,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229382600Z", + "ingested": "2021-06-09T12:48:02.763437200Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:17\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"Id\": \"2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4489,6 +4733,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -4512,7 +4759,7 @@ }, "@timestamp": "2020-02-10T07:37:24.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4528,7 +4775,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229385100Z", + "ingested": "2021-06-09T12:48:02.763440Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}, {\"Name\": \"AdminAuditLogEnabled\", \"Value\": \"True\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-AdminAuditLogConfig\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\", \"Id\": \"9edbf9fe-f844-401f-e9ec-08d7adfc1242\", \"CreationTime\": \"2020-02-10T07:37:24\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4555,6 +4803,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -4576,7 +4827,7 @@ }, "@timestamp": "2020-02-07T20:49:34.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4592,7 +4843,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229388100Z", + "ingested": "2021-06-09T12:48:02.763442900Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"InstantMessagingType\", \"Value\": \"Ocs\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-OwaMailboxPolicy\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\", \"Id\": \"0d7995da-038f-40d9-2765-08d7ac0f3d4d\", \"CreationTime\": \"2020-02-07T20:49:34\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4619,6 +4871,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -4655,7 +4910,7 @@ }, "@timestamp": "2020-02-10T07:37:12.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4671,7 +4926,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229390800Z", + "ingested": "2021-06-09T12:48:02.763445700Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"Management\", \"Value\": \"True\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"DisplayName\", \"Value\": \"Microsoft Exchange Migration\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"9 GB (9,663,676,416 bytes)\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"Migration\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\", \"Id\": \"425128e3-4281-42f6-4ec7-08d7adfc0acd\", \"CreationTime\": \"2020-02-10T07:37:12\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4698,6 +4954,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -4732,7 +4991,7 @@ }, "@timestamp": "2020-02-10T07:37:14.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4748,7 +5007,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229394700Z", + "ingested": "2021-06-09T12:48:02.763449600Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Id\": \"6ddabbf8-4b7c-4982-2683-08d7adfc0c10\", \"CreationTime\": \"2020-02-10T07:37:14\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4775,6 +5035,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -4809,7 +5072,7 @@ }, "@timestamp": "2020-02-10T07:37:13.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4825,7 +5088,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229398200Z", + "ingested": "2021-06-09T12:48:02.763452500Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-10T07:37:13\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"DisplayName\", \"Value\": \"Microsoft Exchange\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"9 GB (9,663,676,416 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\", \"Id\": \"e6a88958-ff2a-4e9b-d681-08d7adfc0b73\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4852,6 +5116,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -4886,7 +5153,7 @@ }, "@timestamp": "2020-02-07T20:49:02.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4902,7 +5169,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229400900Z", + "ingested": "2021-06-09T12:48:02.763455100Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-07T20:49:02\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"f580aae6-d0d5-4204-1a13-08d7ac0f2a03\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -4929,6 +5197,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -4963,7 +5234,7 @@ }, "@timestamp": "2020-02-07T20:48:57.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -4979,7 +5250,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229403600Z", + "ingested": "2021-06-09T12:48:02.763457700Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:48:57\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"165a283d-6f9b-4dc2-1b86-08d7ac0f273c\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5006,6 +5278,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -5040,7 +5315,7 @@ }, "@timestamp": "2020-02-10T07:37:15.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -5056,7 +5331,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229406100Z", + "ingested": "2021-06-09T12:48:02.763460100Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:15\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"2db154f6-63ae-4a31-c548-08d7adfc0d1d\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5083,6 +5359,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -5117,7 +5396,7 @@ }, "@timestamp": "2020-02-07T20:49:21.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -5133,7 +5412,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229409400Z", + "ingested": "2021-06-09T12:48:02.763462800Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-07T20:49:21\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ClientAppId\": \"\", \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"a61cdc9a-89ef-402b-102c-08d7ac0f3592\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5160,6 +5440,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -5194,7 +5477,7 @@ }, "@timestamp": "2020-02-10T07:37:17.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -5210,7 +5493,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229412500Z", + "ingested": "2021-06-09T12:48:02.763465300Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"2202ec45-7abc-49dd-e35e-08d7adfc0e15\", \"CreationTime\": \"2020-02-10T07:37:17\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5237,6 +5521,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -5259,7 +5546,7 @@ }, "@timestamp": "2020-02-07T20:48:04.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -5275,7 +5562,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229415400Z", + "ingested": "2021-06-09T12:48:02.763468800Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:48:04\", \"Parameters\": [{\"Name\": \"DoNotUpdateRecipients\", \"Value\": \"True\"}, {\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}], \"UserType\": 3, \"Version\": 1, \"ClientAppId\": \"\", \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Enable-AddressListPaging\", \"Id\": \"a0063917-bb25-4c17-fe2e-08d7ac0f0769\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5302,6 +5590,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -5325,7 +5616,7 @@ }, "@timestamp": "2020-02-07T20:49:55.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -5341,7 +5632,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229419700Z", + "ingested": "2021-06-09T12:48:02.763471500Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-07T20:49:55\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}, {\"Name\": \"AdminAuditLogEnabled\", \"Value\": \"True\"}], \"UserType\": 3, \"Version\": 1, \"ClientAppId\": \"\", \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-AdminAuditLogConfig\", \"Id\": \"0caecd44-0161-44e5-0e45-08d7ac0f49d6\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5368,6 +5660,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -5390,7 +5685,7 @@ }, "@timestamp": "2020-02-10T07:37:24.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -5406,7 +5701,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229422300Z", + "ingested": "2021-06-09T12:48:02.763474500Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"testsiem.onmicrosoft.com\\\\ExchangeAssistance15\", \"UserType\": 3, \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"Version\": 1, \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:24\", \"Parameters\": [{\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\"}, {\"Name\": \"PrivacyStatementURL\", \"Value\": \"http://go.microsoft.com/fwlink/?LinkID=259417\"}, {\"Name\": \"PrivacyLinkDisplayEnabled\", \"Value\": \"True\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-ExchangeAssistanceConfig\", \"Id\": \"2cb36c1c-1368-4483-9801-08d7adfc11fe\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5433,6 +5729,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -5456,7 +5755,7 @@ }, "@timestamp": "2020-02-10T07:37:23.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -5472,7 +5771,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229424900Z", + "ingested": "2021-06-09T12:48:02.763478900Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:23\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"}, {\"Name\": \"PublicFolderHierarchyMailboxCountQuota\", \"Value\": \"100\"}], \"UserType\": 3, \"Version\": 1, \"ClientAppId\": \"\", \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-RecipientEnforcementProvisioningPolicy\", \"Id\": \"80d8b808-c24c-4359-24cf-08d7adfc11e3\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5499,6 +5799,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -5520,7 +5823,7 @@ }, "@timestamp": "2020-02-10T07:37:24.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -5536,7 +5839,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229427800Z", + "ingested": "2021-06-09T12:48:02.763481700Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-10T07:37:24\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-TenantObjectVersion\", \"ObjectId\": \"testsiem.onmicrosoft.com\", \"Id\": \"a9fb5fce-4ce4-43eb-f429-08d7adfc122c\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5563,6 +5867,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -5586,7 +5893,7 @@ }, "@timestamp": "2020-02-07T20:49:49.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -5602,7 +5909,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229430400Z", + "ingested": "2021-06-09T12:48:02.763484500Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}, {\"Name\": \"User\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management\"}, {\"Name\": \"AccessRights\", \"Value\": \"FullAccess\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:49:49\", \"ClientAppId\": \"\", \"Version\": 1, \"ResultStatus\": \"True\", \"UserType\": 3, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Add-MailboxPermission\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\", \"Id\": \"5f84ceaa-e6df-4ba1-1085-08d7ac0f4646\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5629,6 +5937,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -5650,7 +5961,7 @@ }, "@timestamp": "2020-02-07T20:49:49.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -5666,7 +5977,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229433Z", + "ingested": "2021-06-09T12:48:02.763487100Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\", \"Id\": \"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\", \"CreationTime\": \"2020-02-07T20:49:49\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5693,6 +6005,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -5716,7 +6031,7 @@ }, "@timestamp": "2020-02-07T20:49:55.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -5732,7 +6047,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229435500Z", + "ingested": "2021-06-09T12:48:02.763489700Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}, {\"Name\": \"AdminAuditLogEnabled\", \"Value\": \"True\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:55\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-AdminAuditLogConfig\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\", \"Id\": \"0caecd44-0161-44e5-0e45-08d7ac0f49d6\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5759,6 +6075,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -5793,7 +6112,7 @@ }, "@timestamp": "2020-02-10T07:37:12.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -5809,7 +6128,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229438Z", + "ingested": "2021-06-09T12:48:02.763492300Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"OMEncryptionStore\", \"Value\": \"True\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"Workload\": \"Exchange\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\", \"Id\": \"7386959b-a0d0-459e-baf8-08d7adfc0b4b\", \"CreationTime\": \"2020-02-10T07:37:12\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5836,6 +6156,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -5870,7 +6193,7 @@ }, "@timestamp": "2020-02-10T07:37:15.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -5886,7 +6209,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229440600Z", + "ingested": "2021-06-09T12:48:02.763494900Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"Id\": \"7b5e608f-0a09-4251-8922-08d7adfc0d15\", \"CreationTime\": \"2020-02-10T07:37:15\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5913,6 +6237,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -5947,7 +6274,7 @@ }, "@timestamp": "2020-02-07T20:49:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -5963,7 +6290,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229443200Z", + "ingested": "2021-06-09T12:48:02.763497800Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"CreationTime\": \"2020-02-07T20:49:03\", \"ClientAppId\": \"\", \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"Id\": \"96b98335-ab19-4e22-31e0-08d7ac0f2ac2\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -5990,6 +6318,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -6024,7 +6355,7 @@ }, "@timestamp": "2020-02-07T20:49:21.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -6040,7 +6371,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229445900Z", + "ingested": "2021-06-09T12:48:02.763500500Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:49:21\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Id\": \"a61cdc9a-89ef-402b-102c-08d7ac0f3592\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6067,6 +6399,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -6101,7 +6436,7 @@ }, "@timestamp": "2020-02-07T20:49:04.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -6117,7 +6452,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229448400Z", + "ingested": "2021-06-09T12:48:02.763503100Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Id\": \"5cd5fc38-5b48-47d6-2e47-08d7ac0f2b01\", \"CreationTime\": \"2020-02-07T20:49:04\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6144,6 +6480,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -6178,7 +6517,7 @@ }, "@timestamp": "2020-02-07T20:49:21.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -6194,7 +6533,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229451Z", + "ingested": "2021-06-09T12:48:02.763505600Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"Workload\": \"Exchange\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Id\": \"ff48ffeb-5c2a-468f-9113-08d7ac0f3512\", \"CreationTime\": \"2020-02-07T20:49:21\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6221,6 +6561,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -6255,7 +6598,7 @@ }, "@timestamp": "2020-02-10T07:37:14.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -6271,7 +6614,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229453600Z", + "ingested": "2021-06-09T12:48:02.763508200Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:14\", \"UserType\": 3, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Id\": \"d16f181c-257c-4d40-45e1-08d7adfc0c02\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6298,6 +6642,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -6332,7 +6679,7 @@ }, "@timestamp": "2020-02-07T20:48:57.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -6348,7 +6695,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229456200Z", + "ingested": "2021-06-09T12:48:02.763510800Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\", \"Id\": \"02c7f756-40e0-4c47-d49d-08d7ac0f26bd\", \"CreationTime\": \"2020-02-07T20:48:57\"}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6375,6 +6723,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -6398,7 +6749,7 @@ }, "@timestamp": "2020-02-10T07:37:21.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -6414,7 +6765,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229459800Z", + "ingested": "2021-06-09T12:48:02.763513200Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"ClientAppId\": \"\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:21\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}, {\"Name\": \"User\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management\"}, {\"Name\": \"AccessRights\", \"Value\": \"FullAccess\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Add-MailboxPermission\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\", \"Id\": \"86a8ddaf-15d2-44b4-62d5-08d7adfc1062\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6441,6 +6793,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -6475,7 +6830,7 @@ }, "@timestamp": "2020-02-07T20:48:57.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -6491,7 +6846,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229462300Z", + "ingested": "2021-06-09T12:48:02.763515700Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"ClientAppId\": \"\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Id\": \"8b544cbd-f42b-4910-82ef-08d7ac0f26fc\", \"CreationTime\": \"2020-02-07T20:48:57\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6518,6 +6874,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -6552,7 +6911,7 @@ }, "@timestamp": "2020-02-10T07:37:13.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -6568,7 +6927,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229465600Z", + "ingested": "2021-06-09T12:48:02.763519Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"ClientAppId\": \"\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"DisplayName\", \"Value\": \"Microsoft Exchange\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"9 GB (9,663,676,416 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\", \"Id\": \"e6a88958-ff2a-4e9b-d681-08d7adfc0b73\", \"CreationTime\": \"2020-02-10T07:37:13\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6595,6 +6955,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -6617,7 +6980,7 @@ }, "@timestamp": "2020-02-10T07:37:07.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -6633,7 +6996,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229468500Z", + "ingested": "2021-06-09T12:48:02.763521800Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"ClientAppId\": \"\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-10T07:37:07\", \"Parameters\": [{\"Name\": \"DoNotUpdateRecipients\", \"Value\": \"True\"}, {\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Enable-AddressListPaging\", \"ObjectId\": \"testsiem.onmicrosoft.com\", \"Id\": \"d7134fa4-2e25-4a7d-d84d-08d7adfc0802\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6660,6 +7024,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -6694,7 +7061,7 @@ }, "@timestamp": "2020-02-10T07:37:14.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -6710,7 +7077,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229471100Z", + "ingested": "2021-06-09T12:48:02.763524500Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"UserType\": 3, \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"ee2a5c48-f068-4672-3e34-08d7adfc0bf4\", \"CreationTime\": \"2020-02-10T07:37:14\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6737,6 +7105,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -6758,7 +7129,7 @@ }, "@timestamp": "2020-02-07T20:48:32.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -6774,7 +7145,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229473700Z", + "ingested": "2021-06-09T12:48:02.763527400Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Resource Schema\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:48:32\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Organization\", \"Value\": \"testsiem.onmicrosoft.com\"}], \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Install-ResourceConfig\", \"Id\": \"060e0f74-72a7-40d1-30fa-08d7ac0f17d8\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6801,6 +7173,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -6824,7 +7199,7 @@ }, "@timestamp": "2020-02-10T07:37:23.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -6840,7 +7215,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229476300Z", + "ingested": "2021-06-09T12:48:02.763530100Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"}, {\"Name\": \"PublicFolderHierarchyMailboxCountQuota\", \"Value\": \"100\"}], \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:23\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-RecipientEnforcementProvisioningPolicy\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\", \"Id\": \"80d8b808-c24c-4359-24cf-08d7adfc11e3\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6867,6 +7243,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -6898,7 +7277,7 @@ }, "@timestamp": "2020-02-07T20:48:42.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -6914,7 +7293,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229478900Z", + "ingested": "2021-06-09T12:48:02.763532500Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"Parameters\": [{\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"UMGrammar\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"MaxSendSize\", \"Value\": \"1 GB (1,073,741,824 bytes)\"}, {\"Name\": \"MailRouting\", \"Value\": \"True\"}, {\"Name\": \"MessageTracking\", \"Value\": \"True\"}, {\"Name\": \"OMEncryption\", \"Value\": \"True\"}, {\"Name\": \"OABGen\", \"Value\": \"True\"}, {\"Name\": \"ClientExtensions\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\"}, {\"Name\": \"GMGen\", \"Value\": \"True\"}, {\"Name\": \"SuiteServiceStorage\", \"Value\": \"True\"}], \"UserType\": 3, \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-07T20:48:42\", \"ClientAppId\": \"\", \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\", \"Id\": \"27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -6941,6 +7321,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -6975,7 +7358,7 @@ }, "@timestamp": "2020-02-10T07:37:16.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -6991,7 +7374,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229481400Z", + "ingested": "2021-06-09T12:48:02.763535Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"Version\": 1, \"ClientAppId\": \"\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:16\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Workload\": \"Exchange\", \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"c6db95ea-9eae-4b58-d692-08d7adfc0d98\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -7018,6 +7402,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -7041,7 +7428,7 @@ }, "@timestamp": "2020-02-07T20:49:52.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -7057,7 +7444,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229484Z", + "ingested": "2021-06-09T12:48:02.763537500Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"Version\": 1, \"ClientAppId\": \"\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-07T20:49:52\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"}, {\"Name\": \"PublicFolderHierarchyMailboxCountQuota\", \"Value\": \"100\"}], \"UserType\": 3, \"Workload\": \"Exchange\", \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Operation\": \"Set-RecipientEnforcementProvisioningPolicy\", \"Id\": \"c706f54e-1b00-43ed-5b06-08d7ac0f47a6\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -7084,6 +7472,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -7118,7 +7509,7 @@ }, "@timestamp": "2020-02-10T07:37:15.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -7134,7 +7525,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229486600Z", + "ingested": "2021-06-09T12:48:02.763540200Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"Version\": 1, \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:15\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"UserType\": 3, \"Workload\": \"Exchange\", \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"Id\": \"fcd82149-fc1c-4866-e16d-08d7adfc0cff\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -7161,6 +7553,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -7197,7 +7592,7 @@ }, "@timestamp": "2020-02-07T20:48:44.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -7213,7 +7608,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229489100Z", + "ingested": "2021-06-09T12:48:02.763542800Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"Version\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\", \"Parameters\": [{\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"Management\", \"Value\": \"True\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"DisplayName\", \"Value\": \"Microsoft Exchange Migration\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"9 GB (9,663,676,416 bytes)\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"Migration\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}], \"UserType\": 3, \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"e79cb83c-25b7-4777-57f0-08d7ac0f1f74\", \"CreationTime\": \"2020-02-07T20:48:44\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", @@ -7240,6 +7636,9 @@ "destination": { "ip": "15.20.207.17" }, + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Parameters": { @@ -7274,7 +7673,7 @@ }, "@timestamp": "2020-02-10T07:37:16.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -7290,7 +7689,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:53.229491900Z", + "ingested": "2021-06-09T12:48:02.763545500Z", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"Version\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\", \"ClientAppId\": \"\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Workload\": \"Exchange\", \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"e9e580ee-ac04-436f-9214-08d7adfc0d8b\", \"CreationTime\": \"2020-02-10T07:37:16\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", "kind": "event", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item.log-config.yml b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item.log-config.yml deleted file mode 100644 index c45be4757bd..00000000000 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item.log-config.yml +++ /dev/null @@ -1,7 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - "@timestamp": "2020-04-28T11:07:58.223Z" - "_conf": - "tenants": - "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd": "mytenant.onmicrosoft.com" diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item.log-expected.json index f9d91a623e0..b90a1175b4c 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item.log-expected.json @@ -12,6 +12,9 @@ "source": { "ip": "::1" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv6" }, @@ -48,7 +51,7 @@ }, "@timestamp": "2020-02-17T17:12:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -69,7 +72,8 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-02T06:59:56.736309500Z", + "ingested": "2021-06-09T12:48:06.283084700Z", + "original": "{\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"UserKey\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"Create\",\"ClientIPAddress\":\"::1\",\"Item\":{\"InternetMessageId\":\"\u003cAM6PR01MB4535D305187FEC8127CF8EDFEE160@AM6PR01MB4535.eurprd01.prod.exchangelabs.com\u003e\",\"IsRecord\":false,\"Id\":\"RgAAAACklF6sEsJgSK/ulVd531/WBwCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAACzgXIUnq3lQqXFeCmxHwmHAAAAABULAAAJ\",\"Attachments\":\"warming_email_03_2017_calendar.png (599b); warming_email_03_2017_conversation.png (614b); warming_email_03_2017_links.png (1403b); google_play_store_badge.png (4824b); apple_store_badge.png (4446b); windows_store_badge.png (3681b); warming_email_03_2017_files.png (809b); warming_email_03_2017_sharePoint.png (1432b)\",\"ParentFolder\":{\"Path\":\"\\\\Inbox\",\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAAAB\"},\"Subject\":\"The new SIEMTest group is ready\"},\"LogonUserSid\":\"S-1-5-18\",\"OriginatingServer\":\"AM6PR01MB4535 (15.20.225.32)\\n\",\"RecordType\":2,\"Version\":1,\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"ResultStatus\":\"Succeeded\",\"ExternalAccess\":true,\"LogonType\":1,\"ClientIP\":\"::1\",\"Workload\":\"Exchange\",\"InternalLogonType\":1,\"UserId\":\"S-1-5-18\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"UserType\":2}", "code": "ExchangeItem", "provider": "Exchange", "kind": "event", @@ -100,6 +104,9 @@ "source": { "ip": "::1" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv6" }, @@ -136,7 +143,7 @@ }, "@timestamp": "2020-02-17T08:53:46.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -157,7 +164,8 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-02T06:59:56.736333900Z", + "ingested": "2021-06-09T12:48:06.283110Z", + "original": "{\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"UserKey\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ClientIPAddress\":\"::1\",\"Item\":{\"InternetMessageId\":\"\u003cDB3PR0102MB35003D203E5553CBC1B8AAEAE2160@DB3PR0102MB3500.eurprd01.prod.exchangelabs.com\u003e\",\"IsRecord\":false,\"Id\":\"RgAAAABQ7FIOAzxlR4hKCRQRbTbvBwBTdQb34omtRrZGvP+4ONQkAAAAAAEMAABTdQb34omtRrZGvP+4ONQkAAAAAA0lAAAJ\",\"ParentFolder\":{\"Path\":\"\\\\Inbox\",\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAEMAAAB\"},\"Attachments\":\"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)\",\"Subject\":\"The new All Company group is ready\"},\"LogonUserSid\":\"S-1-5-18\",\"RecordType\":2,\"OriginatingServer\":\"DB3PR0102MB3500 (15.20.225.32)\\n\",\"Version\":1,\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"ResultStatus\":\"Succeeded\",\"LogonType\":1,\"ExternalAccess\":true,\"ClientIP\":\"::1\",\"Workload\":\"Exchange\",\"InternalLogonType\":1,\"UserId\":\"S-1-5-18\",\"CreationTime\":\"2020-02-17T08:53:46\",\"Id\":\"c0790552-9989-4e91-cba4-08d7b386e642\",\"UserType\":2}", "code": "ExchangeItem", "provider": "Exchange", "kind": "event", @@ -188,6 +196,9 @@ "source": { "ip": "::1" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv6" }, @@ -224,7 +235,7 @@ }, "@timestamp": "2020-02-17T08:53:31.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -245,7 +256,8 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-02T06:59:56.736337400Z", + "ingested": "2021-06-09T12:48:06.283113800Z", + "original": "{\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"UserKey\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"Create\",\"ClientIPAddress\":\"::1\",\"Item\":{\"InternetMessageId\":\"\u003cDB7PR01MB442884FC2132AE2A909799BAFC160@DB7PR01MB4428.eurprd01.prod.exchangelabs.com\u003e\",\"IsRecord\":false,\"Id\":\"RgAAAABkkJvTy6NaRYV8EL+vMtzZBwAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAk6unHVumCRJNhRrAMRwYLAAAAAAk9AAAJ\",\"ParentFolder\":{\"Path\":\"\\\\Inbox\",\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAB\"},\"Attachments\":\"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)\",\"Subject\":\"The new All Company group is ready\"},\"LogonUserSid\":\"S-1-5-18\",\"RecordType\":2,\"OriginatingServer\":\"DB7PR01MB4428 (15.20.207.31)\\n\",\"Version\":1,\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"ResultStatus\":\"Succeeded\",\"ExternalAccess\":true,\"LogonType\":1,\"ClientIP\":\"::1\",\"Workload\":\"Exchange\",\"InternalLogonType\":1,\"UserId\":\"S-1-5-18\",\"CreationTime\":\"2020-02-17T08:53:31\",\"Id\":\"c6b58ed7-a54a-47cf-a301-08d7b386dd7c\",\"UserType\":2}", "code": "ExchangeItem", "provider": "Exchange", "kind": "event", @@ -276,6 +288,9 @@ "source": { "ip": "::1" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv6" }, @@ -312,7 +327,7 @@ }, "@timestamp": "2020-02-17T08:53:41.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -333,7 +348,8 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-02T06:59:56.736340400Z", + "ingested": "2021-06-09T12:48:06.283116700Z", + "original": "{\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"UserKey\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"ModifyFolderPermissions\",\"ClientIPAddress\":\"::1\",\"Item\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"ParentFolder\":{\"Path\":\"\\\\Calendar\",\"MemberRights\":\"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-2005823449-1144108501-1529089953-3087822558-1\",\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\"}},\"LogonUserSid\":\"S-1-5-18\",\"RecordType\":2,\"OriginatingServer\":\"DB3PR0102MB3500 (15.20.225.32)\",\"Version\":1,\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"ResultStatus\":\"Succeeded\",\"ExternalAccess\":true,\"LogonType\":1,\"ClientIP\":\"::1\",\"Workload\":\"Exchange\",\"InternalLogonType\":1,\"UserId\":\"S-1-5-18\",\"CreationTime\":\"2020-02-17T08:53:41\",\"Id\":\"815684be-4e52-4cb2-9242-08d7b386e333\",\"UserType\":2}", "code": "ExchangeItem", "provider": "Exchange", "kind": "event", @@ -364,6 +380,9 @@ "source": { "ip": "::1" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv6" }, @@ -400,7 +419,7 @@ }, "@timestamp": "2020-02-17T08:53:22.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -421,7 +440,8 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-02T06:59:56.736342900Z", + "ingested": "2021-06-09T12:48:06.283119500Z", + "original": "{\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"UserKey\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"ModifyFolderPermissions\",\"ClientIPAddress\":\"::1\",\"Item\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"ParentFolder\":{\"Path\":\"\\\\Calendar\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-1750167797-1192043064-2586004354-3182407426-0\",\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\"}},\"LogonUserSid\":\"S-1-5-18\",\"RecordType\":2,\"OriginatingServer\":\"DB7PR01MB4428 (15.20.207.31)\\n\",\"Version\":1,\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"ResultStatus\":\"Succeeded\",\"ExternalAccess\":true,\"LogonType\":1,\"ClientIP\":\"::1\",\"Workload\":\"Exchange\",\"InternalLogonType\":1,\"UserId\":\"S-1-5-18\",\"CreationTime\":\"2020-02-17T08:53:22\",\"Id\":\"f5b56c26-18aa-4984-822e-08d7b386d7e2\",\"UserType\":2}", "code": "ExchangeItem", "provider": "Exchange", "kind": "event", @@ -452,6 +472,9 @@ "source": { "ip": "::1" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv6" }, @@ -488,7 +511,7 @@ }, "@timestamp": "2020-02-17T08:53:22.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -509,7 +532,8 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-02T06:59:56.736345200Z", + "ingested": "2021-06-09T12:48:06.283122100Z", + "original": "{\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"UserKey\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"ModifyFolderPermissions\",\"ClientIPAddress\":\"::1\",\"Item\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"ParentFolder\":{\"Path\":\"\\\\Calendar\",\"MemberRights\":\"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-1750167797-1192043064-2586004354-3182407426-1\",\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\"}},\"LogonUserSid\":\"S-1-5-18\",\"OriginatingServer\":\"DB7PR01MB4428 (15.20.207.31)\\n\",\"RecordType\":2,\"Version\":1,\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"ResultStatus\":\"Succeeded\",\"LogonType\":1,\"ExternalAccess\":true,\"ClientIP\":\"::1\",\"Workload\":\"Exchange\",\"InternalLogonType\":1,\"UserId\":\"S-1-5-18\",\"CreationTime\":\"2020-02-17T08:53:22\",\"Id\":\"25ccad93-82ad-4742-5231-08d7b386d7e6\",\"UserType\":2}", "code": "ExchangeItem", "provider": "Exchange", "kind": "event", @@ -540,6 +564,9 @@ "source": { "ip": "::1" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv6" }, @@ -576,7 +603,7 @@ }, "@timestamp": "2020-02-17T08:53:41.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -597,7 +624,8 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-02T06:59:56.736347600Z", + "ingested": "2021-06-09T12:48:06.283124700Z", + "original": "{\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"UserKey\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"ModifyFolderPermissions\",\"ClientIPAddress\":\"::1\",\"Item\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"ParentFolder\":{\"Path\":\"\\\\Calendar\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-2005823449-1144108501-1529089953-3087822558-0\",\"MemberUpn\":\"Owner@local\",\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"Name\":\"Calendar\"}},\"LogonUserSid\":\"S-1-5-18\",\"OriginatingServer\":\"DB3PR0102MB3500 (15.20.225.32)\\n\",\"RecordType\":2,\"Version\":1,\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"ResultStatus\":\"Succeeded\",\"LogonType\":1,\"ExternalAccess\":true,\"ClientIP\":\"::1\",\"Workload\":\"Exchange\",\"InternalLogonType\":1,\"UserId\":\"S-1-5-18\",\"CreationTime\":\"2020-02-17T08:53:41\",\"Id\":\"edb9bb1f-9629-43a1-0a57-08d7b386e31c\",\"UserType\":2}", "code": "ExchangeItem", "provider": "Exchange", "kind": "event", @@ -628,6 +656,9 @@ "source": { "ip": "::1" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv6" }, @@ -664,7 +695,7 @@ }, "@timestamp": "2020-02-17T17:12:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -685,7 +716,8 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-02T06:59:56.736349900Z", + "ingested": "2021-06-09T12:48:06.283127Z", + "original": "{\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"UserKey\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"ModifyFolderPermissions\",\"ClientIPAddress\":\"::1\",\"Item\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"ParentFolder\":{\"Path\":\"\\\\Calendar\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-640184314-1174341437-2555636127-1766693009-1\",\"MemberUpn\":\"Member@local\",\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"Name\":\"Calendar\"}},\"LogonUserSid\":\"S-1-5-18\",\"OriginatingServer\":\"AM6PR01MB4535 (15.20.225.32)\\n\",\"RecordType\":2,\"Version\":1,\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"ResultStatus\":\"Succeeded\",\"LogonType\":1,\"ExternalAccess\":true,\"ClientIP\":\"::1\",\"Workload\":\"Exchange\",\"InternalLogonType\":1,\"UserId\":\"S-1-5-18\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"df63d186-b4d9-49a8-748c-08d7b3cc81fb\",\"UserType\":2}", "code": "ExchangeItem", "provider": "Exchange", "kind": "event", @@ -716,6 +748,9 @@ "source": { "ip": "::1" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv6" }, @@ -752,7 +787,7 @@ }, "@timestamp": "2020-02-17T17:12:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -773,7 +808,8 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-02T06:59:56.736352Z", + "ingested": "2021-06-09T12:48:06.283129400Z", + "original": "{\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"UserKey\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ClientIPAddress\":\"::1\",\"Item\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"ParentFolder\":{\"Path\":\"\\\\Calendar\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-640184314-1174341437-2555636127-1766693009-0\",\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\"}},\"LogonUserSid\":\"S-1-5-18\",\"OriginatingServer\":\"AM6PR01MB4535 (15.20.225.32)\\n\",\"RecordType\":2,\"Version\":1,\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"ResultStatus\":\"Succeeded\",\"ExternalAccess\":true,\"LogonType\":1,\"ClientIP\":\"::1\",\"Workload\":\"Exchange\",\"InternalLogonType\":1,\"UserId\":\"S-1-5-18\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"284dfe85-ab53-48ad-0863-08d7b3cc81f7\",\"UserType\":2}", "code": "ExchangeItem", "provider": "Exchange", "kind": "event", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats.log-config.yml b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats.log-config.yml deleted file mode 100644 index c45be4757bd..00000000000 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats.log-config.yml +++ /dev/null @@ -1,7 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - "@timestamp": "2020-04-28T11:07:58.223Z" - "_conf": - "tenants": - "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd": "mytenant.onmicrosoft.com" diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats.log-expected.json index 78a088e9db3..d15e380d488 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats.log-expected.json @@ -9,7 +9,7 @@ }, "@timestamp": "2020-02-17T17:12:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -26,7 +26,9 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-06-02T06:59:57.100153600Z", + "ingested": "2021-06-09T12:48:06.648672600Z", + "original": "{\"ClientIP\":\"[10.11.12.13]:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", + "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "type": [ "info" @@ -34,9 +36,11 @@ "category": [ "web" ], - "kind": "event", "outcome": "success" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" } @@ -50,7 +54,7 @@ }, "@timestamp": "2020-02-17T17:12:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -67,7 +71,9 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-06-02T06:59:57.100167200Z", + "ingested": "2021-06-09T12:48:06.648694700Z", + "original": "{\"ClientIP\":\"10.11.12.13:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", + "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "type": [ "info" @@ -75,9 +81,11 @@ "category": [ "web" ], - "kind": "event", "outcome": "success" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" } @@ -91,7 +99,7 @@ }, "@timestamp": "2020-02-17T17:12:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -106,7 +114,9 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-06-02T06:59:57.100170100Z", + "ingested": "2021-06-09T12:48:06.648699100Z", + "original": "{\"ClientIP\":\"10.11.12.13\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", + "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "type": [ "info" @@ -114,9 +124,11 @@ "category": [ "web" ], - "kind": "event", "outcome": "success" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" } @@ -130,7 +142,7 @@ }, "@timestamp": "2020-02-17T17:12:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -145,7 +157,9 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-06-02T06:59:57.100172700Z", + "ingested": "2021-06-09T12:48:06.648701900Z", + "original": "{\"ClientIP\":\"::ffff:10.11.12.13\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", + "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "type": [ "info" @@ -153,9 +167,11 @@ "category": [ "web" ], - "kind": "event", "outcome": "success" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" } @@ -169,7 +185,7 @@ }, "@timestamp": "2020-02-17T17:12:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -186,7 +202,9 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-06-02T06:59:57.100175Z", + "ingested": "2021-06-09T12:48:06.648704200Z", + "original": "{\"ClientIP\":\"[::ffff:10.11.12.13]:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", + "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "type": [ "info" @@ -194,9 +212,11 @@ "category": [ "web" ], - "kind": "event", "outcome": "success" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" } @@ -210,7 +230,7 @@ }, "@timestamp": "2020-02-17T17:12:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -227,7 +247,9 @@ "ip": "2001:db8::abcd" }, "event": { - "ingested": "2021-06-02T06:59:57.100177200Z", + "ingested": "2021-06-09T12:48:06.648706600Z", + "original": "{\"ClientIP\":\"[2001:db8::abcd]:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", + "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "type": [ "info" @@ -235,9 +257,11 @@ "category": [ "web" ], - "kind": "event", "outcome": "success" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv6" } @@ -251,7 +275,7 @@ }, "@timestamp": "2020-02-17T17:12:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "ip": [ @@ -266,7 +290,9 @@ "ip": "2001:db8::abcd" }, "event": { - "ingested": "2021-06-02T06:59:57.100179300Z", + "ingested": "2021-06-09T12:48:06.648708900Z", + "original": "{\"ClientIP\":\"2001:db8::abcd\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", + "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "type": [ "info" @@ -274,9 +300,11 @@ "category": [ "web" ], - "kind": "event", "outcome": "success" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv6" } @@ -290,13 +318,15 @@ }, "@timestamp": "2020-02-17T17:12:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "client": { "domain": "[2001:db8::abcd]" }, "event": { - "ingested": "2021-06-02T06:59:57.100181500Z", + "ingested": "2021-06-09T12:48:06.648711300Z", + "original": "{\"ClientIP\":\"[2001:db8::abcd]\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", + "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "type": [ "info" @@ -304,9 +334,11 @@ "category": [ "web" ], - "kind": "event", "outcome": "success" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "o365": { @@ -317,13 +349,15 @@ }, "@timestamp": "2020-02-17T17:12:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "client": { "domain": "[10.11.12.13]" }, "event": { - "ingested": "2021-06-02T06:59:57.100183800Z", + "ingested": "2021-06-09T12:48:06.648713700Z", + "original": "{\"ClientIP\":\"[10.11.12.13]\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", + "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "type": [ "info" @@ -331,9 +365,11 @@ "category": [ "web" ], - "kind": "event", "outcome": "success" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "o365": { @@ -344,13 +380,15 @@ }, "@timestamp": "2020-02-17T17:12:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "client": { "domain": "localhost" }, "event": { - "ingested": "2021-06-02T06:59:57.100186Z", + "ingested": "2021-06-09T12:48:06.648716100Z", + "original": "{\"ClientIP\":\"localhost\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", + "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "type": [ "info" @@ -358,9 +396,11 @@ "category": [ "web" ], - "kind": "event", "outcome": "success" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "o365": { @@ -371,13 +411,15 @@ }, "@timestamp": "2020-02-17T17:12:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "client": { "domain": "[localhost]:12345" }, "event": { - "ingested": "2021-06-02T06:59:57.100188Z", + "ingested": "2021-06-09T12:48:06.648718400Z", + "original": "{\"ClientIP\":\"[localhost]:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", + "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "type": [ "info" @@ -385,9 +427,11 @@ "category": [ "web" ], - "kind": "event", "outcome": "success" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "o365": { @@ -398,13 +442,15 @@ }, "@timestamp": "2020-02-17T17:12:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "client": { "domain": "localhost:12345" }, "event": { - "ingested": "2021-06-02T06:59:57.100192500Z", + "ingested": "2021-06-09T12:48:06.648720800Z", + "original": "{\"ClientIP\":\"localhost:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", + "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "type": [ "info" @@ -412,9 +458,11 @@ "category": [ "web" ], - "kind": "event", "outcome": "success" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "o365": { @@ -425,13 +473,15 @@ }, "@timestamp": "2020-02-17T17:12:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "client": { "domain": "[cool.client.local]:12345" }, "event": { - "ingested": "2021-06-02T06:59:57.100194700Z", + "ingested": "2021-06-09T12:48:06.648723200Z", + "original": "{\"ClientIP\":\"[cool.client.local]:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", + "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "type": [ "info" @@ -439,9 +489,11 @@ "category": [ "web" ], - "kind": "event", "outcome": "success" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "o365": { @@ -452,13 +504,15 @@ }, "@timestamp": "2020-02-17T17:12:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "client": { "domain": "cool.client.local" }, "event": { - "ingested": "2021-06-02T06:59:57.100196900Z", + "ingested": "2021-06-09T12:48:06.648725800Z", + "original": "{\"ClientIP\":\"cool.client.local\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", + "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "type": [ "info" @@ -466,9 +520,11 @@ "category": [ "web" ], - "kind": "event", "outcome": "success" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "o365": { @@ -479,13 +535,15 @@ }, "@timestamp": "2020-02-17T17:12:03.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "client": { "domain": "cool.client.local:12345" }, "event": { - "ingested": "2021-06-02T06:59:57.100199100Z", + "ingested": "2021-06-09T12:48:06.648728100Z", + "original": "{\"ClientIP\":\"cool.client.local:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", + "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", "type": [ "info" @@ -493,9 +551,11 @@ "category": [ "web" ], - "kind": "event", "outcome": "success" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams.log-config.yml b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams.log-config.yml deleted file mode 100644 index c45be4757bd..00000000000 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams.log-config.yml +++ /dev/null @@ -1,7 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - "@timestamp": "2020-04-28T11:07:58.223Z" - "_conf": - "tenants": - "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd": "mytenant.onmicrosoft.com" diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams.log-expected.json index 85f86af7fcf..43989136272 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams.log-expected.json @@ -14,7 +14,7 @@ }, "@timestamp": "2020-02-17T16:59:44.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "organization": { "name": "mytenant.onmicrosoft.com", @@ -25,7 +25,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:57.286173800Z", + "ingested": "2021-06-09T12:48:06.851666300Z", + "original": "{\"RecordType\":25,\"Version\":1,\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"UserId\":\"Application\",\"UserKey\":\"\",\"CreationTime\":\"2020-02-17T16:59:44\",\"TeamName\":\"SIEMTest\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"TeamCreated\",\"Id\":\"49fa9883-50a9-4c9c-8e12-57e0948a9d8a\",\"UserType\":5,\"Workload\":\"MicrosoftTeams\"}", "code": "MicrosoftTeams", "provider": "MicrosoftTeams", "kind": "event", @@ -45,11 +46,17 @@ "user": { "id": "Application" }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "SIEMTest" } }, { + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "RecordType": "25", @@ -86,7 +93,7 @@ }, "@timestamp": "2020-02-17T16:59:47.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -106,7 +113,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:57.286189300Z", + "ingested": "2021-06-09T12:48:06.851683900Z", + "original": "{\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"UserKey\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"TeamName\":\"SIEMTest\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"MemberAdded\",\"Workload\":\"MicrosoftTeams\",\"RecordType\":25,\"Version\":1,\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"CreationTime\":\"2020-02-17T16:59:47\",\"ItemName\":\"SIEMTest\",\"Id\":\"3a951c24-3214-5529-b2fe-097628a39ecd\",\"UserType\":0,\"Members\":[{\"Role\":1,\"UPN\":\"david@testsiem.onmicrosoft.com\",\"DisplayName\":\"David\"},{\"Role\":1,\"UPN\":\"chuck@testsiem.onmicrosoft.com\",\"DisplayName\":\"Chuck\"},{\"Role\":1,\"UPN\":\"bob@testsiem.onmicrosoft.com\",\"DisplayName\":\"Bob\"},{\"Role\":1,\"UPN\":\"alice@testsiem.onmicrosoft.com\",\"DisplayName\":\"Alice\"}]}", "code": "MicrosoftTeams", "provider": "MicrosoftTeams", "kind": "event", @@ -134,6 +142,9 @@ } }, { + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "RecordType": "25", @@ -155,7 +166,7 @@ }, "@timestamp": "2020-02-17T16:59:44.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -172,7 +183,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:57.286192400Z", + "ingested": "2021-06-09T12:48:06.851687500Z", + "original": "{\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"UserKey\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"TeamName\":\"SIEMTest\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"MemberAdded\",\"Workload\":\"MicrosoftTeams\",\"RecordType\":25,\"Version\":1,\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"CreationTime\":\"2020-02-17T16:59:44\",\"ItemName\":\"SIEMTest\",\"Id\":\"3350cfd2-1020-5b11-99d8-2701f3a29ea3\",\"UserType\":0,\"Members\":[{\"Role\":2,\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"DisplayName\":\"Alan Smithee\"}]}", "code": "MicrosoftTeams", "provider": "MicrosoftTeams", "kind": "event", @@ -213,7 +225,7 @@ }, "@timestamp": "2020-02-17T16:59:34.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -229,7 +241,8 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-02T06:59:57.286194600Z", + "ingested": "2021-06-09T12:48:06.851690300Z", + "original": "{\"RecordType\":25,\"Version\":1,\"ObjectId\":\"Unknown (Unknown)\",\"UserId\":\"bob@testsiem.onmicrosoft.com\",\"UserKey\":\"d0e0cfb0-284d-4b0a-83fe-dd543a1c1ed0\",\"CreationTime\":\"2020-02-17T16:59:34\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Id\":\"d7636db2-859f-437e-8dff-573726578ad7\",\"Operation\":\"TeamsSessionStarted\",\"UserType\":0,\"Workload\":\"MicrosoftTeams\"}", "code": "MicrosoftTeams", "provider": "MicrosoftTeams", "kind": "event", @@ -248,7 +261,10 @@ "id": "bob@testsiem.onmicrosoft.com", "email": "bob@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts.log-config.yml b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts.log-config.yml deleted file mode 100644 index c45be4757bd..00000000000 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts.log-config.yml +++ /dev/null @@ -1,7 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - "@timestamp": "2020-04-28T11:07:58.223Z" - "_conf": - "tenants": - "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd": "mytenant.onmicrosoft.com" diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts.log-expected.json index ccd843ba5c6..555f0e52c30 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts.log-expected.json @@ -1,6 +1,21 @@ { "expected": [ { + "rule": { + "reference": [ + "http://example.net/alert", + "http://example.net/info" + ], + "name": "Elevation of Exchange admin privilege", + "ruleset": "User", + "description": "asr@testsiem.onmicrosoft.com", + "id": "17d51759-88e1-40c1-8df3-20bcf2e43057", + "category": "AccessGovernance" + }, + "message": "New alert", + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Status": "Active", @@ -21,7 +36,7 @@ }, "@timestamp": "2020-02-14T19:00:00.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "organization": { "name": "mytenant.onmicrosoft.com", @@ -31,20 +46,9 @@ "name": "mytenant.onmicrosoft.com", "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, - "rule": { - "reference": [ - "http://example.net/alert", - "http://example.net/info" - ], - "name": "Elevation of Exchange admin privilege", - "ruleset": "User", - "description": "asr@testsiem.onmicrosoft.com", - "id": "17d51759-88e1-40c1-8df3-20bcf2e43057", - "category": "AccessGovernance" - }, - "message": "New alert", "event": { - "ingested": "2021-06-02T06:59:57.373056Z", + "ingested": "2021-06-09T12:48:06.967302200Z", + "original": "{\"Category\": \"AccessGovernance\", \"UserKey\": \"SecurityComplianceAlerts\", \"Operation\": \"AlertEntityGenerated\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AlertEntityId\" : \"asr@testsiem.onmicrosoft.com\", \"Source\" : \"Office 365 Security \u0026 Compliance\", \"Name\" : \"Elevation of Exchange admin privilege\", \"AlertType\" : \"System\", \"RecordType\" : 40, \"Version\" : 1, \"Status\" : \"Active\", \"ObjectId\" : \"asr@testsiem.onmicrosoft.com\", \"ResultStatus\" : \"Succeeded\", \"Comments\" : \"New alert\", \"AlertLinks\" : [ { \"AlertLinkHref\" : \"http://example.net/alert\" }, { \"AlertLinkHref\" : \"http://example.net/info\" } ], \"Severity\" : \"Low\", \"Data\" : \"{\\\"etype\\\":\\\"User\\\",\\\"eid\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"tid\\\":\\\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\\\",\\\"ts\\\":\\\"2020-02-14T18:54:45.0000000Z\\\",\\\"te\\\":\\\"2020-02-14T18:54:45.0000000Z\\\",\\\"op\\\":\\\"GrantAdminPermission\\\",\\\"tdc\\\":\\\"1\\\",\\\"suid\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"ut\\\":\\\"Admin\\\",\\\"lon\\\":\\\"GrantAdminPermission\\\"}\", \"Workload\" : \"SecurityComplianceCenter\", \"EntityType\" : \"User\", \"AlertId\" : \"5ba6e029-8b6e-13bd-b800-08d7b180173c\", \"UserId\" : \"SecurityComplianceAlerts\", \"CreationTime\" : \"2020-02-14T19:00:00\", \"Id\" : \"448854d7-81f6-4a06-d31a-08d7b1c1fb2f\", \"UserType\" : 4, \"PolicyId\" : \"17d51759-88e1-40c1-8df3-20bcf2e43057\" }", "code": "SecurityComplianceAlerts", "provider": "SecurityComplianceCenter", "kind": "alert", @@ -63,6 +67,18 @@ } }, { + "rule": { + "reference": [ + "http://example.net/single" + ], + "name": "Elevation of Exchange admin privilege", + "id": "17d51759-88e1-40c1-8df3-20bcf2e43057", + "category": "AccessGovernance" + }, + "message": "New alert", + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Status": "Active", @@ -83,7 +99,7 @@ }, "@timestamp": "2020-02-14T19:00:00.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "organization": { "name": "mytenant.onmicrosoft.com", @@ -93,17 +109,9 @@ "name": "mytenant.onmicrosoft.com", "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, - "rule": { - "reference": [ - "http://example.net/single" - ], - "name": "Elevation of Exchange admin privilege", - "id": "17d51759-88e1-40c1-8df3-20bcf2e43057", - "category": "AccessGovernance" - }, - "message": "New alert", "event": { - "ingested": "2021-06-02T06:59:57.373072600Z", + "ingested": "2021-06-09T12:48:06.967318200Z", + "original": "{ \"Status\" : \"Active\", \"Category\" : \"AccessGovernance\", \"ResultStatus\" : \"Succeeded\", \"ObjectId\" : \"5ba6e029-8b6e-13bd-b800-08d7b180173c\", \"Comments\" : \"New alert\", \"UserKey\" : \"SecurityComplianceAlerts\", \"AlertLinks\" : [ { \"AlertLinkHref\" : \"http://example.net/single\" } ], \"Data\" : \"{\\\"f3u\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"ts\\\":\\\"2020-02-14T18:45:00.0000000Z\\\",\\\"te\\\":\\\"2020-02-14T19:00:00.0000000Z\\\",\\\"op\\\":\\\"GrantAdminPermission\\\",\\\"wl\\\":\\\"Exchange\\\",\\\"tid\\\":\\\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\\\",\\\"tdc\\\":\\\"1\\\",\\\"reid\\\":\\\"23a5e271-e297-4f35-ff57-08d7b17f5bf2\\\",\\\"rid\\\":\\\"f81f1b69-dc60-4ded-918e-e17d5c73b29f\\\",\\\"cid\\\":\\\"17d51759-88e1-40c1-8df3-20bcf2e43057\\\",\\\"ad\\\":\\\"This alert is triggered when someone in your organization becomes an Exchange admin or gets new Exchange admin permissions -V1.0.0.1\\\",\\\"lon\\\":\\\"GrantAdminPermission\\\",\\\"an\\\":\\\"Elevation of Exchange admin privilege\\\",\\\"sev\\\":\\\"Low\\\"}\", \"Severity\" : \"Low\", \"Operation\" : \"AlertTriggered\", \"OrganizationId\" : \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"Source\" : \"Office 365 Security \u0026 Compliance\", \"Workload\" : \"SecurityComplianceCenter\", \"Name\" : \"Elevation of Exchange admin privilege\", \"AlertType\" : \"System\", \"AlertId\" : \"5ba6e029-8b6e-13bd-b800-08d7b180173c\", \"RecordType\" : 40, \"Version\" : 1, \"UserId\" : \"SecurityComplianceAlerts\", \"CreationTime\" : \"2020-02-14T19:00:00\", \"Id\" : \"7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22\", \"UserType\" : 4, \"PolicyId\" : \"17d51759-88e1-40c1-8df3-20bcf2e43057\" }", "code": "SecurityComplianceAlerts", "provider": "SecurityComplianceCenter", "kind": "alert", @@ -122,6 +130,17 @@ } }, { + "rule": { + "name": "Phony Malware Alert", + "ruleset": "MalwareFamily", + "description": "Malware/Evil.Malware.B", + "id": "17d51759-88e1-40c1-8df3-20bcf2e43057", + "category": "ThreatManagement" + }, + "message": "This is a phony threat alert", + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Status": "Active", @@ -142,7 +161,7 @@ }, "@timestamp": "2020-02-14T19:00:00.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "organization": { "name": "mytenant.onmicrosoft.com", @@ -152,16 +171,9 @@ "name": "mytenant.onmicrosoft.com", "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, - "rule": { - "name": "Phony Malware Alert", - "ruleset": "MalwareFamily", - "description": "Malware/Evil.Malware.B", - "id": "17d51759-88e1-40c1-8df3-20bcf2e43057", - "category": "ThreatManagement" - }, - "message": "This is a phony threat alert", "event": { - "ingested": "2021-06-02T06:59:57.373075800Z", + "ingested": "2021-06-09T12:48:06.967321600Z", + "original": "{ \"Status\" : \"Active\", \"Category\" : \"ThreatManagement\", \"ResultStatus\" : \"Succeeded\", \"ObjectId\" : \"12345678-8b6e-13bd-b800-08d7b180173c\", \"Comments\" : \"This is a phony threat alert\", \"UserKey\" : \"SecurityComplianceAlerts\", \"AlertLinks\" : [], \"Data\" : \"{\\\"something\\\":\\\"blabla\\\"}\", \"Severity\" : \"High\", \"Operation\" : \"AlertTriggered\", \"OrganizationId\" : \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"Source\" : \"Office 365 Security \u0026 Compliance\", \"Workload\" : \"SecurityComplianceCenter\", \"Name\" : \"Phony Malware Alert\", \"AlertType\" : \"System\", \"AlertId\" : \"1233344-8b6e-13bd-b800-08d7b180173c\", \"RecordType\" : 40, \"Version\" : 1, \"UserId\" : \"SecurityComplianceAlerts\", \"CreationTime\" : \"2020-02-14T19:00:00\", \"Id\" : \"7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22\", \"UserType\" : 4, \"PolicyId\" : \"17d51759-88e1-40c1-8df3-20bcf2e43057\", \"AlertEntityId\" : \"Malware/Evil.Malware.B\", \"EntityType\" : \"MalwareFamily\"}", "code": "SecurityComplianceAlerts", "provider": "SecurityComplianceCenter", "kind": "alert", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint.log-config.yml b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint.log-config.yml deleted file mode 100644 index c45be4757bd..00000000000 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint.log-config.yml +++ /dev/null @@ -1,7 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - "@timestamp": "2020-04-28T11:07:58.223Z" - "_conf": - "tenants": - "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd": "mytenant.onmicrosoft.com" diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint.log-expected.json index 3b24c25098d..9dda11c0c51 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint.log-expected.json @@ -22,6 +22,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -45,7 +48,7 @@ }, "@timestamp": "2020-02-07T16:43:53.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -68,7 +71,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:57.457067900Z", + "ingested": "2021-06-09T12:48:07.068651800Z", + "original": "{\"ListItemUniqueId\": \"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\", \"ItemType\": \"Page\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\", \"Workload\": \"OneDrive\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Id\": \"99d005e6-a4c6-46fd-117c-08d7abeceab5\", \"CustomUniqueId\": true, \"UserType\": 0, \"Version\": 1, \"EventSource\": \"SharePoint\", \"CorrelationId\": \"622b339f-4000-a000-f25f-92b3478c7a25\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"ClientIP\": \"213.97.47.133\", \"Operation\": \"PageViewed\", \"CreationTime\": \"2020-02-07T16:43:53\", \"RecordType\": 4}", "code": "SharePoint", "provider": "OneDrive", "kind": "event", @@ -124,6 +128,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -147,7 +154,7 @@ }, "@timestamp": "2020-02-07T16:43:53.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -170,7 +177,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:57.457082900Z", + "ingested": "2021-06-09T12:48:07.068666300Z", + "original": "{\"ListItemUniqueId\": \"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\", \"ItemType\": \"Page\", \"Workload\": \"OneDrive\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"CreationTime\": \"2020-02-07T16:43:53\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"ClientIP\": \"213.97.47.133\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"UserType\": 0, \"Version\": 1, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"CustomUniqueId\": true, \"Operation\": \"PageViewed\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\", \"Id\": \"99d005e6-a4c6-46fd-117c-08d7abeceab5\", \"CorrelationId\": \"622b339f-4000-a000-f25f-92b3478c7a25\", \"RecordType\": 4}", "code": "SharePoint", "provider": "OneDrive", "kind": "event", @@ -226,6 +234,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -249,7 +260,7 @@ }, "@timestamp": "2020-02-07T16:43:53.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -272,7 +283,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:57.457085900Z", + "ingested": "2021-06-09T12:48:07.068669900Z", + "original": "{\"UserId\": \"asr@testsiem.onmicrosoft.com\", \"ListItemUniqueId\": \"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\", \"RecordType\": 4, \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\", \"Workload\": \"OneDrive\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"UserType\": 0, \"CreationTime\": \"2020-02-07T16:43:53\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"ClientIP\": \"213.97.47.133\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"Version\": 1, \"EventSource\": \"SharePoint\", \"CustomUniqueId\": true, \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"Operation\": \"PageViewed\", \"Id\": \"99d005e6-a4c6-46fd-117c-08d7abeceab5\", \"CorrelationId\": \"622b339f-4000-a000-f25f-92b3478c7a25\", \"ItemType\": \"Page\"}", "code": "SharePoint", "provider": "OneDrive", "kind": "event", @@ -328,6 +340,9 @@ }, "ip": "213.97.47.133" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -351,7 +366,7 @@ }, "@timestamp": "2020-02-07T16:43:53.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -374,7 +389,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:57.457088800Z", + "ingested": "2021-06-09T12:48:07.068672800Z", + "original": "{\"Workload\": \"OneDrive\", \"Version\": 1, \"RecordType\": 4, \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"CreationTime\": \"2020-02-07T16:43:53\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Id\": \"99d005e6-a4c6-46fd-117c-08d7abeceab5\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"UserType\": 0, \"ListItemUniqueId\": \"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\", \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"CustomUniqueId\": true, \"ClientIP\": \"213.97.47.133\", \"Operation\": \"PageViewed\", \"CorrelationId\": \"622b339f-4000-a000-f25f-92b3478c7a25\", \"ItemType\": \"Page\"}", "code": "SharePoint", "provider": "OneDrive", "kind": "event", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop.log-config.yml b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop.log-config.yml deleted file mode 100644 index c45be4757bd..00000000000 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop.log-config.yml +++ /dev/null @@ -1,7 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - "@timestamp": "2020-04-28T11:07:58.223Z" - "_conf": - "tenants": - "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd": "mytenant.onmicrosoft.com" diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop.log-expected.json index 0b869af15bc..9755ba8d384 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop.log-expected.json @@ -25,6 +25,9 @@ "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -53,7 +56,7 @@ "extension": "png" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -76,7 +79,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:57.652763500Z", + "ingested": "2021-06-09T12:48:07.270266900Z", + "original": "{\"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:07\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"SourceRelativeUrl\": \"Documents\", \"RecordType\": 6, \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"png\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"652b339f-908c-a000-f25f-91423da7dd9b\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SourceFileName\": \"Screenshot 2020-01-27 at 11.30.48.png\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"ItemType\": \"File\", \"ListItemUniqueId\": \"4803608a-df7d-4f63-aa73-67aa33bb576e\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Version\": 1, \"Operation\": \"FileDeleted\", \"Id\": \"ec04aa09-0a43-4879-cdc8-08d7abecf327\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -137,6 +141,9 @@ "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -165,7 +172,7 @@ "extension": "png" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -188,7 +195,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:57.652779600Z", + "ingested": "2021-06-09T12:48:07.270281200Z", + "original": "{\"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:07\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"Version\": 1, \"SourceRelativeUrl\": \"Documents\", \"ItemType\": \"File\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"png\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"652b339f-908c-a000-f25f-91423da7dd9b\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SourceFileName\": \"Screenshot 2020-01-27 at 11.30.48.png\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"RecordType\": 6, \"ListItemUniqueId\": \"4803608a-df7d-4f63-aa73-67aa33bb576e\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Operation\": \"FileDeleted\", \"Id\": \"ec04aa09-0a43-4879-cdc8-08d7abecf327\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -249,6 +257,9 @@ "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -277,7 +288,7 @@ "extension": "aspx" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -300,7 +311,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:57.652782800Z", + "ingested": "2021-06-09T12:48:07.270284600Z", + "original": "{\"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:08\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"Version\": 1, \"SourceRelativeUrl\": \"Documents/Forms\", \"ItemType\": \"File\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"aspx\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"652b339f-90a0-a000-f25f-919afc141eb1\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SourceFileName\": \"All.aspx\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"RecordType\": 6, \"ListItemUniqueId\": \"ff3631c1-6189-45c7-ad45-c15cea9e9255\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Operation\": \"FileAccessed\", \"Id\": \"25b08f04-48ee-4755-ce22-08d7abecf3a9\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -361,6 +373,9 @@ "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -389,7 +404,7 @@ "extension": "aspx" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -412,7 +427,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:57.652785400Z", + "ingested": "2021-06-09T12:48:07.270287200Z", + "original": "{\"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:08\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"Version\": 1, \"SourceRelativeUrl\": \"Documents/Forms\", \"RecordType\": 6, \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"aspx\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"652b339f-90a0-a000-f25f-919afc141eb1\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SourceFileName\": \"All.aspx\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"ItemType\": \"File\", \"ListItemUniqueId\": \"ff3631c1-6189-45c7-ad45-c15cea9e9255\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Operation\": \"FileAccessed\", \"Id\": \"25b08f04-48ee-4755-ce22-08d7abecf3a9\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -473,6 +489,9 @@ "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -502,7 +521,7 @@ "extension": "png" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -525,7 +544,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:57.652789700Z", + "ingested": "2021-06-09T12:48:07.270291100Z", + "original": "{\"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:21\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"Version\": 1, \"SourceRelativeUrl\": \"Documents\", \"ImplicitShare\": \"No\", \"RecordType\": 6, \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"png\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"692b339f-c016-a000-f25f-990a07b2e011\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SourceFileName\": \"Screenshot.png\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"ItemType\": \"File\", \"ListItemUniqueId\": \"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Operation\": \"FileUploaded\", \"Id\": \"dac93a9f-f2fb-4cac-d18f-08d7abecfbb6\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -586,6 +606,9 @@ "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -614,7 +637,7 @@ "extension": "png" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -637,7 +660,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:57.652792100Z", + "ingested": "2021-06-09T12:48:07.270293900Z", + "original": "{\"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:23\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"Version\": 1, \"SourceRelativeUrl\": \"Documents\", \"RecordType\": 6, \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"png\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"692b339f-902e-a000-f25f-95def5f17903\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SourceFileName\": \"Screenshot.png\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"ItemType\": \"File\", \"ListItemUniqueId\": \"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Operation\": \"FileModified\", \"Id\": \"5b02fadb-8eac-4aff-af87-08d7abecfca3\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -698,6 +722,9 @@ "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -726,7 +753,7 @@ "extension": "png" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -749,7 +776,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:57.652794300Z", + "ingested": "2021-06-09T12:48:07.270296800Z", + "original": "{\"SourceRelativeUrl\": \"Documents\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:07\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"Version\": 1, \"RecordType\": 6, \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"png\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"652b339f-908c-a000-f25f-91423da7dd9b\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"SourceFileName\": \"Screenshot 2020-01-27 at 11.30.48.png\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"ItemType\": \"File\", \"ListItemUniqueId\": \"4803608a-df7d-4f63-aa73-67aa33bb576e\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Operation\": \"FileDeleted\", \"Id\": \"ec04aa09-0a43-4879-cdc8-08d7abecf327\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -810,6 +838,9 @@ "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -839,7 +870,7 @@ "extension": "png" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -862,7 +893,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:57.652796500Z", + "ingested": "2021-06-09T12:48:07.270299300Z", + "original": "{\"SourceRelativeUrl\": \"Documents\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:21\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"Version\": 1, \"ImplicitShare\": \"No\", \"ItemType\": \"File\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"png\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"692b339f-c016-a000-f25f-990a07b2e011\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"SourceFileName\": \"Screenshot.png\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"RecordType\": 6, \"ListItemUniqueId\": \"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Operation\": \"FileUploaded\", \"Id\": \"dac93a9f-f2fb-4cac-d18f-08d7abecfbb6\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -923,6 +955,9 @@ "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -951,7 +986,7 @@ "extension": "png" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -974,7 +1009,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:57.652798700Z", + "ingested": "2021-06-09T12:48:07.270301700Z", + "original": "{\"SourceRelativeUrl\": \"Documents\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:23\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"ItemType\": \"File\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"png\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"692b339f-902e-a000-f25f-95def5f17903\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SourceFileName\": \"Screenshot.png\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"RecordType\": 6, \"ListItemUniqueId\": \"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Version\": 1, \"Operation\": \"FileModified\", \"Id\": \"5b02fadb-8eac-4aff-af87-08d7abecfca3\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -1035,6 +1071,9 @@ "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -1063,7 +1102,7 @@ "extension": "png" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1086,7 +1125,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:57.652800800Z", + "ingested": "2021-06-09T12:48:07.270304200Z", + "original": "{\"SourceRelativeUrl\": \"Documents\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:23\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"Version\": 1, \"ItemType\": \"File\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"png\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"692b339f-902e-a000-f25f-95def5f17903\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"SourceFileName\": \"Screenshot.png\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"RecordType\": 6, \"ListItemUniqueId\": \"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Operation\": \"FileModified\", \"Id\": \"5b02fadb-8eac-4aff-af87-08d7abecfca3\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", @@ -1147,6 +1187,9 @@ "url": { "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -1175,7 +1218,7 @@ "extension": "png" }, "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -1198,7 +1241,8 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-02T06:59:57.652802900Z", + "ingested": "2021-06-09T12:48:07.270306600Z", + "original": "{\"SourceRelativeUrl\": \"Documents\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:23\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"Version\": 1, \"RecordType\": 6, \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"png\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"692b339f-902e-a000-f25f-95def5f17903\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"SourceFileName\": \"Screenshot.png\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"ItemType\": \"File\", \"ListItemUniqueId\": \"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Operation\": \"FileModified\", \"Id\": \"5b02fadb-8eac-4aff-af87-08d7abecfca3\"}", "code": "SharePointFileOperation", "provider": "OneDrive", "kind": "event", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op.log-config.yml b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op.log-config.yml deleted file mode 100644 index c45be4757bd..00000000000 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op.log-config.yml +++ /dev/null @@ -1,7 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - "@timestamp": "2020-04-28T11:07:58.223Z" - "_conf": - "tenants": - "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd": "mytenant.onmicrosoft.com" diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op.log-expected.json index 8c447dcf8f9..1f620a22620 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op.log-expected.json @@ -1,6 +1,9 @@ { "expected": [ { + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", @@ -23,7 +26,7 @@ }, "@timestamp": "2020-02-17T16:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -40,7 +43,8 @@ }, "client": {}, "event": { - "ingested": "2021-06-02T06:59:58.174592800Z", + "ingested": "2021-06-09T12:48:07.800332700Z", + "original": "{\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"ItemType\":\"Web\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"TargetUserOrGroupName\":\"Everyone except external users\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"ClientIP\":\"\",\"EventData\":\"\u003cGroup\u003eSite Members\u003c/Group\u003e\",\"Workload\":\"SharePoint\",\"EventSource\":\"SharePoint\",\"RecordType\":14,\"TargetUserOrGroupType\":\"SecurityGroup\",\"Version\":1,\"UserId\":\"app@sharepoint\",\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"CreationTime\":\"2020-02-17T16:59:50\",\"UserAgent\":\"\",\"Id\":\"4d1a6a2b-360c-423d-96e5-08d7b3cacd83\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "SharePoint", "kind": "event", @@ -69,6 +73,9 @@ } }, { + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", @@ -91,7 +98,7 @@ }, "@timestamp": "2020-02-17T16:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -108,7 +115,8 @@ }, "client": {}, "event": { - "ingested": "2021-06-02T06:59:58.174609Z", + "ingested": "2021-06-09T12:48:07.800347200Z", + "original": "{\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"ItemType\":\"Web\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"TargetUserOrGroupName\":\"SHAREPOINT\\\\system\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"ClientIP\":\"\",\"EventData\":\"\u003cGroup\u003eSite Owners\u003c/Group\u003e\",\"Workload\":\"SharePoint\",\"EventSource\":\"SharePoint\",\"RecordType\":14,\"Version\":1,\"TargetUserOrGroupType\":\"Member\",\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"UserId\":\"app@sharepoint\",\"UserAgent\":\"\",\"CreationTime\":\"2020-02-17T16:59:50\",\"Id\":\"56696ec0-5a7e-4561-5e88-08d7b3cacd4a\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "SharePoint", "kind": "event", @@ -137,6 +145,9 @@ } }, { + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", @@ -159,7 +170,7 @@ }, "@timestamp": "2020-02-17T16:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -176,7 +187,8 @@ }, "client": {}, "event": { - "ingested": "2021-06-02T06:59:58.174612Z", + "ingested": "2021-06-09T12:48:07.800350500Z", + "original": "{\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"ItemType\":\"Web\",\"TargetUserOrGroupName\":\"SIEMTest Owners\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"ClientIP\":\"\",\"EventData\":\"\u003cGroup\u003eSite Owners\u003c/Group\u003e\",\"Workload\":\"SharePoint\",\"EventSource\":\"SharePoint\",\"RecordType\":14,\"Version\":1,\"TargetUserOrGroupType\":\"SecurityGroup\",\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"UserId\":\"app@sharepoint\",\"CreationTime\":\"2020-02-17T16:59:50\",\"UserAgent\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"Id\":\"b8c880ff-e8fe-407c-9ce9-08d7b3cacd07\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "SharePoint", "kind": "event", @@ -205,6 +217,9 @@ } }, { + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", @@ -227,7 +242,7 @@ }, "@timestamp": "2020-02-17T16:59:50.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -244,7 +259,8 @@ }, "client": {}, "event": { - "ingested": "2021-06-02T06:59:58.174614800Z", + "ingested": "2021-06-09T12:48:07.800353300Z", + "original": "{\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"ItemType\":\"Web\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"TargetUserOrGroupName\":\"SIEMTest Members\",\"Operation\":\"AddedToGroup\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ClientIP\":\"\",\"EventData\":\"\u003cGroup\u003eSite Members\u003c/Group\u003e\",\"Workload\":\"SharePoint\",\"EventSource\":\"SharePoint\",\"RecordType\":14,\"Version\":1,\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserId\":\"app@sharepoint\",\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"UserAgent\":\"\",\"CreationTime\":\"2020-02-17T16:59:50\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"Id\":\"483f657f-9141-45fc-b141-08d7b3caccfb\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "SharePoint", "kind": "event", @@ -273,6 +289,9 @@ } }, { + "tags": [ + "preserve_original_event" + ], "o365": { "audit": { "Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", @@ -295,7 +314,7 @@ }, "@timestamp": "2020-02-17T16:59:49.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -312,7 +331,8 @@ }, "client": {}, "event": { - "ingested": "2021-06-02T06:59:58.174617300Z", + "ingested": "2021-06-09T12:48:07.800355700Z", + "original": "{\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"ItemType\":\"Web\",\"TargetUserOrGroupName\":\"SHAREPOINT\\\\system\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ClientIP\":\"\",\"EventData\":\"\u003cGroup\u003eSite Owners\u003c/Group\u003e\",\"Workload\":\"SharePoint\",\"EventSource\":\"SharePoint\",\"RecordType\":14,\"TargetUserOrGroupType\":\"Member\",\"Version\":1,\"UserId\":\"app@sharepoint\",\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"CreationTime\":\"2020-02-17T16:59:49\",\"UserAgent\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"Id\":\"13004a30-d15a-48a5-16ec-08d7b3caccc0\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "SharePoint", "kind": "event", @@ -362,6 +382,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -387,7 +410,7 @@ }, "@timestamp": "2020-02-14T18:25:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -410,7 +433,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:58.174619500Z", + "ingested": "2021-06-09T12:48:07.800358100Z", + "original": "{\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com//personal/asr_testsiem_onmicrosoft_com/Sharing Links\",\"ItemType\":\"List\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"SharingInheritanceBroken\",\"ClientIP\":\"79.159.10.151\",\"EventData\":\"\u003ccopyRoleAssignments\u003eFalse\u003c/copyRoleAssignments\u003e\u003cclearSubScopes\u003eFalse\u003c/clearSubScopes\u003e\",\"Workload\":\"OneDrive\",\"SourceRelativeUrl\":\"Sharing Links\",\"EventSource\":\"SharePoint\",\"ListId\":\"b108938d-3546-4359-925d-a1b54b4db8c2\",\"RecordType\":14,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"CreationTime\":\"2020-02-14T18:25:45\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"Id\":\"dd162cd7-5df5-4fef-078a-08d7b17b4e95\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "OneDrive", "kind": "event", @@ -466,6 +490,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -495,7 +522,7 @@ }, "@timestamp": "2020-02-14T18:25:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -518,7 +545,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:58.174621900Z", + "ingested": "2021-06-09T12:48:07.800360400Z", + "original": "{\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"ItemType\":\"File\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"AnonymousLinkCreated\",\"EventData\":\"\u003cType\u003eEdit\u003c/Type\u003e\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"RecordType\":14,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"UniqueSharingId\":\"d323b5ea-ceca-4d65-a628-e22ca9296a76\",\"SourceFileName\":\"Screenshot.png\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"ClientIP\":\"79.159.10.151\",\"Workload\":\"OneDrive\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"EventSource\":\"SharePoint\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"CreationTime\":\"2020-02-14T18:25:45\",\"Id\":\"1cb54d72-3a76-4a7c-7b3d-08d7b17b4ec9\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "OneDrive", "kind": "event", @@ -574,6 +602,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -604,7 +635,7 @@ }, "@timestamp": "2020-02-14T18:25:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -627,7 +658,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:58.174623900Z", + "ingested": "2021-06-09T12:48:07.800362900Z", + "original": "{\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"ItemType\":\"File\",\"TargetUserOrGroupName\":\"SharingLinks.7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8.AnonymousEdit.d323b5ea-ceca-4d65-a628-e22ca9296a76\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"EventData\":\"\u003cPermissions granted\u003eContribute\u003c/Permissions granted\u003e\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"RecordType\":14,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"SourceFileName\":\"Screenshot.png\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"ClientIP\":\"79.159.10.151\",\"SourceFileExtension\":\"png\",\"Workload\":\"OneDrive\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"EventSource\":\"SharePoint\",\"TargetUserOrGroupType\":\"SharePointGroup\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"CreationTime\":\"2020-02-14T18:25:45\",\"Id\":\"a8c23ab8-9447-4824-3208-08d7b17b4e5e\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "OneDrive", "kind": "event", @@ -683,6 +715,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -713,7 +748,7 @@ }, "@timestamp": "2020-02-14T18:25:44.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -736,7 +771,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:58.174626100Z", + "ingested": "2021-06-09T12:48:07.800365300Z", + "original": "{\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"TargetUserOrGroupName\":\"Limited Access System Group\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"ItemType\":\"File\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"SharingSet\",\"EventData\":\"\u003cPermissions granted\u003eLimited Access\u003c/Permissions granted\u003e\",\"RecordType\":14,\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"SourceFileName\":\"Screenshot.png\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"ClientIP\":\"79.159.10.151\",\"Workload\":\"OneDrive\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"EventSource\":\"SharePoint\",\"TargetUserOrGroupType\":\"SharePointGroup\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"CreationTime\":\"2020-02-14T18:25:44\",\"Id\":\"88a041e3-2f3a-483c-cf76-08d7b17b4e5b\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "OneDrive", "kind": "event", @@ -792,6 +828,9 @@ }, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -822,7 +861,7 @@ }, "@timestamp": "2020-02-14T18:25:44.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -845,7 +884,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:58.174628200Z", + "ingested": "2021-06-09T12:48:07.800367800Z", + "original": "{\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"ItemType\":\"File\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"TargetUserOrGroupName\":\"4da1e7f54501bb99b6e0ab2ff8749842152ac02ff8c0c8017b0e40e6b67fecdd\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"SharingSet\",\"EventData\":\"\u003cPermissions granted\u003eSystem.LimitedEdit\u003c/Permissions granted\u003e\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"RecordType\":14,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"SourceFileName\":\"Screenshot.png\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"ClientIP\":\"79.159.10.151\",\"SourceFileExtension\":\"png\",\"Workload\":\"OneDrive\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"EventSource\":\"SharePoint\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"CreationTime\":\"2020-02-14T18:25:44\",\"Id\":\"98633e47-3540-4e8a-bcfc-08d7b17b4e48\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "OneDrive", "kind": "event", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer.log-config.yml b/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer.log-config.yml deleted file mode 100644 index c45be4757bd..00000000000 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer.log-config.yml +++ /dev/null @@ -1,7 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - "@timestamp": "2020-04-28T11:07:58.223Z" - "_conf": - "tenants": - "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd": "mytenant.onmicrosoft.com" diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer.log-expected.json index 2904f681ab8..fae046b60ef 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer.log-expected.json @@ -23,6 +23,9 @@ "port": 12345, "ip": "79.159.10.151" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv4" }, @@ -42,7 +45,7 @@ }, "@timestamp": "2020-02-28T09:42:45.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -65,7 +68,8 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-02T06:59:58.574518Z", + "ingested": "2021-06-09T12:48:08.223704Z", + "original": "{\"ObjectId\":\"Sales\",\"Id\":\"2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594\",\"CreationTime\":\"2020-02-28T09:42:45\",\"UserKey\":\"100320009d6edf94\",\"YammerNetworkId\":5846122497,\"Operation\":\"GroupCreation\",\"ClientIP\":\"79.159.10.151:12345\",\"ActorYammerUserId\":36787265537,\"UserType\":0,\"ResultStatus\":\"TRUE\",\"RecordType\":22,\"Workload\":\"Yammer\",\"Version\":1,\"GroupName\":\"Sales\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"UserId\":\"alice@testsiem2.onmicrosoft.com\",\"ActorUserId\":\"alice@testsiem2.onmicrosoft.com\"}", "code": "Yammer", "provider": "Yammer", "kind": "event", @@ -97,6 +101,9 @@ "port": 12346, "ip": "fdfd::555" }, + "tags": [ + "preserve_original_event" + ], "network": { "type": "ipv6" }, @@ -116,7 +123,7 @@ }, "@timestamp": "2020-02-28T09:39:20.000Z", "ecs": { - "version": "1.9.0" + "version": "1.10.0" }, "related": { "user": [ @@ -139,7 +146,8 @@ "ip": "fdfd::555" }, "event": { - "ingested": "2021-06-02T06:59:58.574531900Z", + "ingested": "2021-06-09T12:48:08.223718600Z", + "original": "{\"CreationTime\":\"2020-02-28T09:39:20\",\"ActorUserId\":\"asr@testsiem2.onmicrosoft.com\",\"ObjectId\":\"Company group\",\"UserKey\":\"100320009d292e16\",\"Id\":\"3f3e7f1c-84c1-55fc-9bb2-c8b8563eae06\",\"ActorYammerUserId\":36085768193,\"ClientIP\":\"[fdfd::555]:12346\",\"UserId\":\"asr@testsiem2.onmicrosoft.com\",\"Operation\":\"GroupCreation\",\"ResultStatus\":\"TRUE\",\"UserType\":0,\"Workload\":\"Yammer\",\"Version\":1,\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"YammerNetworkId\":5846122497,\"RecordType\":22,\"GroupName\":\"Company group\"}", "code": "Yammer", "provider": "Yammer", "kind": "event", diff --git a/packages/o365/data_stream/audit/agent/stream/log.yml.hbs b/packages/o365/data_stream/audit/agent/stream/log.yml.hbs index a3f0d84d8b6..c506a0f85d8 100644 --- a/packages/o365/data_stream/audit/agent/stream/log.yml.hbs +++ b/packages/o365/data_stream/audit/agent/stream/log.yml.hbs @@ -4,19 +4,25 @@ paths: {{/each}} exclude_files: [".gz$"] tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} {{#each tags as |tag i|}} -- {{tag}} + - {{tag}} {{/each}} {{#contains tags "forwarded"}} publisher_pipeline.disable_host: true {{/contains}} {{#if tenant_names}} processors: - - add_fields: - target: '_conf.tenants' - fields: - mappings: +{{#if processors}} +{{processors}} +{{/if}} +- add_fields: + target: '_conf.tenants' + fields: + mappings: {{#each tenant_names as |entry i|}} - - {{entry.id}}: {{entry.name}} + - {{entry.id}}: {{entry.name}} {{/each}} {{/if}} \ No newline at end of file diff --git a/packages/o365/data_stream/audit/agent/stream/o365audit.yml.hbs b/packages/o365/data_stream/audit/agent/stream/o365audit.yml.hbs index 8ca3ea29ff7..ecea19e0dc5 100644 --- a/packages/o365/data_stream/audit/agent/stream/o365audit.yml.hbs +++ b/packages/o365/data_stream/audit/agent/stream/o365audit.yml.hbs @@ -23,11 +23,14 @@ publisher_pipeline.disable_host: true {{/contains}} {{#if tenant_names}} processors: - - add_fields: - target: '_conf.tenants' - fields: - mappings: +{{#if processors}} +{{processors}} +{{/if}} +- add_fields: + target: '_conf.tenants' + fields: + mappings: {{#each tenant_names as |entry i|}} - - {{entry.id}}: {{entry.name}} + - {{entry.id}}: {{entry.name}} {{/each}} {{/if}} \ No newline at end of file diff --git a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index d468a4b6859..34bf19e7e52 100644 --- a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -7,7 +7,7 @@ processors: value: '{{_ingest.timestamp}}' - set: field: ecs.version - value: '1.9.0' + value: '1.10.0' - set: field: event.kind value: event @@ -17,11 +17,13 @@ processors: - append: field: event.category value: web - - json: + - rename: field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original target_field: o365audit - - remove: - field: message # General Schema - date: field: o365audit.CreationTime @@ -1026,6 +1028,11 @@ processors: field: - _conf ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true on_failure: - set: field: error.message diff --git a/packages/o365/data_stream/audit/manifest.yml b/packages/o365/data_stream/audit/manifest.yml index 023bc388267..1a9c28b8d59 100644 --- a/packages/o365/data_stream/audit/manifest.yml +++ b/packages/o365/data_stream/audit/manifest.yml @@ -74,6 +74,23 @@ streams: show_user: false default: - forwarded + - o365-audit + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. template_path: o365audit.yml.hbs - input: logfile title: "Collect Office 365 audit logs via log files" @@ -107,3 +124,20 @@ streams: show_user: false default: - forwarded + - o365-audit + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. From 995aa415737a7856ffc47aedef5c788f413471c7 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Wed, 9 Jun 2021 14:50:41 +0200 Subject: [PATCH 2/3] add changelog and linting --- packages/o365/changelog.yml | 5 + .../test-azuread-sts-logon.log-expected.json | 138 ++++++------ .../pipeline/test-azuread.log-expected.json | 200 +++++++++--------- .../_dev/test/pipeline/test-common-config.yml | 2 +- .../test-data-insights-api.log-expected.json | 18 +- .../test-dlp-exchange.log-expected.json | 12 +- .../test-dlp-sharepoint.log-expected.json | 14 +- .../test-exchange-admin.log-expected.json | 200 +++++++++--------- .../test-exchange-item.log-expected.json | 18 +- .../test-ip-formats.log-expected.json | 30 +-- .../pipeline/test-ms-teams.log-expected.json | 8 +- .../test-sec-comp-alerts.log-expected.json | 6 +- .../test-sharepoint.log-expected.json | 8 +- .../test-sharepointfileop.log-expected.json | 22 +- .../test-sp-sharing-op.log-expected.json | 20 +- .../pipeline/test-yammer.log-expected.json | 4 +- packages/o365/data_stream/audit/manifest.yml | 2 + packages/o365/manifest.yml | 2 +- 18 files changed, 358 insertions(+), 351 deletions(-) diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml index 7bb68776ce7..1a065bfd65b 100644 --- a/packages/o365/changelog.yml +++ b/packages/o365/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.5.0" + changes: + - description: update to ECS 1.10.0 and adding event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1117 - version: "0.4.0" changes: - description: moving edge processing to ingest pipelines diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon.log-expected.json index c082cdded02..d21240b1f7c 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon.log-expected.json @@ -100,7 +100,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667038900Z", + "ingested": "2021-06-09T12:50:06.341457900Z", "original": "{\"InterSystemsId\": \"03616b3a-fc75-46a1-b34a-2d82fc8f1e7e\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:13\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"c4206c29-46c2-4a6f-a46b-735107705400\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"ca0efc24-1b89-4962-8fef-a3ac5437302f\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -238,7 +238,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667065300Z", + "ingested": "2021-06-09T12:50:06.341482600Z", "original": "{\"InterSystemsId\": \"05d69096-cb90-4690-ae69-8acd5177b3e0\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:53:24\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"ed155e11-60b3-4764-b9aa-05c35f3bb800\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"b53de36d-ea71-4ebf-9b71-feb431bd4eba\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -376,7 +376,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667072400Z", + "ingested": "2021-06-09T12:50:06.341490300Z", "original": "{\"InterSystemsId\": \"0f5eb16e-8b22-49bf-a927-f6f310fd5879\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:29:01\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"6634d05a-72ec-4c27-8e69-03c57b202000\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"10e2d141-839e-4913-ab3d-6cf1f4856eae\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -514,7 +514,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667102100Z", + "ingested": "2021-06-09T12:50:06.341496300Z", "original": "{\"InterSystemsId\": \"1150acae-a48d-4752-8847-7bacb7fe6e6c\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:52:06\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"1809f830-b010-4389-9607-e01ae175ca00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"68b3fd99-0dae-4479-926d-03cc0073dd08\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -652,7 +652,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667108500Z", + "ingested": "2021-06-09T12:50:06.341523700Z", "original": "{\"InterSystemsId\": \"16e81fcc-add3-46c2-8834-10ce330ffe76\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:53:22\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"2a84e6ff-7340-426e-9d0d-e53092c0c600\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"550af372-cdfd-4286-a1b7-d58df0dcd5d6\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -790,7 +790,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:47:50.667114100Z", + "ingested": "2021-06-09T12:50:06.341530800Z", "original": "{\"InterSystemsId\": \"172703f7-324e-415a-a846-c39ca97eb1c8\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:23\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"d66cd29f-596e-4878-b756-92b545d25f00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"b5f59a43-00cf-42c4-8685-a7166fd20e38\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -928,7 +928,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:47:50.667120200Z", + "ingested": "2021-06-09T12:50:06.341536600Z", "original": "{\"InterSystemsId\": \"17f8756c-0bfa-49ad-8537-ada4e17a5f7d\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:41\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"1b395e92-5d02-408f-8bfe-139098a95500\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"32e7fb94-6289-4fb4-855b-2ab78671ca4e\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -1066,7 +1066,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:47:50.667125600Z", + "ingested": "2021-06-09T12:50:06.341542100Z", "original": "{\"InterSystemsId\": \"22aac168-9d0d-4c70-b94d-adc337ab7b06\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:22\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"280b3410-9d51-4ce3-952d-5bba18ea6600\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"7314a65a-f383-40fb-a0c7-00c6c4cfabc0\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -1204,7 +1204,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667130600Z", + "ingested": "2021-06-09T12:50:06.341547900Z", "original": "{\"InterSystemsId\": \"23321532-a321-4c97-909d-9489979777d6\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:52:05\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"1909acba-a486-4ffc-805c-09fb73c0bf00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"97b494ee-9ba1-4444-b052-3459bdc9eaa5\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -1342,7 +1342,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:47:50.667135400Z", + "ingested": "2021-06-09T12:50:06.341553Z", "original": "{\"InterSystemsId\": \"291fb7ce-4e56-47fd-a78e-4e9012f112ab\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:45\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"5e3ce6c0-2b1f-4285-8d4b-75ee78787346\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"9d47f3e0-1b2d-4c1c-b47b-dcf4bc4d5700\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"391870e6-1729-40ae-9ebb-51e0652fec9b\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -1480,7 +1480,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667141300Z", + "ingested": "2021-06-09T12:50:06.341559600Z", "original": "{\"InterSystemsId\": \"30e5377b-31d8-42c2-8170-13404afacde7\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:51:49\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"00000002-0000-0ff1-ce00-000000000000\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0ff1-ce00-000000000000\"}], \"ObjectId\": \"00000002-0000-0ff1-ce00-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"8971516f-3ef3-4de0-b6b8-ebfae386bc00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"a7538fb0-3213-41dc-ab38-1aed787e0cdc\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -1618,7 +1618,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667146500Z", + "ingested": "2021-06-09T12:50:06.341564900Z", "original": "{\"InterSystemsId\": \"32e2f533-40fb-4783-8c66-d1bad7e1cc88\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:29:02\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"74ab94ce-8928-4aff-8fa2-a66ad6d41f00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"e2a15fc0-6892-41f5-a41c-e515231cbb0a\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -1756,7 +1756,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667151400Z", + "ingested": "2021-06-09T12:50:06.341569900Z", "original": "{\"InterSystemsId\": \"3c5d16f4-16a6-45f4-a53d-abb86e35005b\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:08\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"f67a1615-4606-4673-b6fb-68f716345800\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"e11538ff-5fe1-4fdd-8c5d-219d85c47bb3\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -1894,7 +1894,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:47:50.667156300Z", + "ingested": "2021-06-09T12:50:06.341574900Z", "original": "{\"InterSystemsId\": \"40077a75-7b58-4623-a64a-f1b7de70fa54\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:27\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"00000002-0000-0ff1-ce00-000000000000\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0ff1-ce00-000000000000\"}], \"ObjectId\": \"00000002-0000-0ff1-ce00-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"4d1bd763-9b0b-4d5a-bda9-5c7a0a0a6000\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"e031670b-bb84-45ee-94ff-0e70a8cd1138\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -2029,7 +2029,7 @@ "ip": "37.29.234.179" }, "event": { - "ingested": "2021-06-09T12:47:50.667161Z", + "ingested": "2021-06-09T12:50:06.341579700Z", "original": "{\"InterSystemsId\": \"425503c9-ccbf-4674-8f1e-4d56510474fd\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-08T14:33:54\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"37.29.234.179\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"37.29.234.179\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"57ef1056-6ce2-424a-b241-ce3939d00900\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"d39944c4-6766-4a89-8d5a-c789175830ee\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -2167,7 +2167,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667165800Z", + "ingested": "2021-06-09T12:50:06.341584600Z", "original": "{\"InterSystemsId\": \"4409eeeb-0ca5-42dd-99d9-4a6b2fabfa4f\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:12\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"0c8fcffc-a810-4a85-b8e2-3a2fda925c00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"6f2b7716-1acc-450d-ae13-afad7e02d07e\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -2305,7 +2305,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667170800Z", + "ingested": "2021-06-09T12:50:06.341589600Z", "original": "{\"InterSystemsId\": \"4542ce7e-270b-435e-8f81-ee23ea74be75\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:35\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"9718abaa-220e-49c5-8c9b-588d32b8db00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"47f3c440-3fb7-4b5e-9c20-455470b289d2\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -2440,7 +2440,7 @@ "ip": "37.29.234.179" }, "event": { - "ingested": "2021-06-09T12:47:50.667175400Z", + "ingested": "2021-06-09T12:50:06.341594500Z", "original": "{\"InterSystemsId\": \"4836e306-1460-4f34-ab55-a74c9a14f50d\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-08T14:38:40\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"37.29.234.179\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"37.29.234.179\", \"ApplicationId\": \"80ccca67-54bd-44ab-8625-4b79c4dc7775\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"2fde8302-c39e-40b6-9c7f-1bb9d4800a00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"5a3435d0-229a-41c8-bd21-b4f2b662d0f6\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -2578,7 +2578,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667180Z", + "ingested": "2021-06-09T12:50:06.341599300Z", "original": "{\"InterSystemsId\": \"4a50a549-adf3-4a22-9037-7fd8cd3d0116\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:16\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"1d856a16-b179-41ab-9c0d-af1d2b925100\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"5aff2d1c-b203-46a6-96f0-b8f908f0e968\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -2716,7 +2716,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667185100Z", + "ingested": "2021-06-09T12:50:06.341611400Z", "original": "{\"InterSystemsId\": \"4e44a55e-9c0d-4cea-b000-1b79e96dcf57\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:16\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"fc33c54e-38b9-4ef2-a4ee-a3a324a45500\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"3d8033cf-eecd-4eee-87a5-795efd8a1d3d\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -2854,7 +2854,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667190Z", + "ingested": "2021-06-09T12:50:06.341616600Z", "original": "{\"InterSystemsId\": \"4e91c3e1-819e-4ebc-ae68-2037cfc2db92\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:25\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"a063e495-5883-4837-8186-5828f9f2d500\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"8bd0a250-74f6-4eeb-ba20-c5bdbd977013\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -2992,7 +2992,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:47:50.667195400Z", + "ingested": "2021-06-09T12:50:06.341621500Z", "original": "{\"InterSystemsId\": \"50d648cb-466d-4cf4-b2f8-3b7e84f47040\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:04\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"08e18876-6177-487e-b8b5-cf950c1e598c\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0ff1-ce00-000000000000\"}], \"ObjectId\": \"00000003-0000-0ff1-ce00-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"64613cae-510d-4a52-b486-070b775e5800\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"a6fc9a9b-3b7e-4d33-8c0c-1d33d023e558\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -3130,7 +3130,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667444600Z", + "ingested": "2021-06-09T12:50:06.341626400Z", "original": "{\"InterSystemsId\": \"5a453031-0cc3-4577-a589-4c3bf37eed78\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:51:45\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"814a32f0-27fd-4e82-855c-13da15a4c300\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"19d57a4a-d32e-4dc6-971f-3491bc440023\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -3268,7 +3268,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667464700Z", + "ingested": "2021-06-09T12:50:06.341631700Z", "original": "{\"InterSystemsId\": \"5cd6215d-e206-4c3f-805d-6e386cbdab7a\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:01\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"9c218a27-ed51-4011-8383-e76850e85000\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"0b158f74-e223-43c8-9cfd-5f4442f29fc7\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -3406,7 +3406,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:47:50.667473600Z", + "ingested": "2021-06-09T12:50:06.341636200Z", "original": "{\"InterSystemsId\": \"612b339f-1088-a000-f25f-9c8af4d57894\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:51\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"00000003-0000-0ff1-ce00-000000000000\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0ff1-ce00-000000000000\"}], \"ObjectId\": \"00000003-0000-0ff1-ce00-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"c847a864-4ba2-4d8b-a9f2-5f1c1c5c5e00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"4819a0c2-2050-4549-ab66-f5b90cbbcc5a\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -3544,7 +3544,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667480200Z", + "ingested": "2021-06-09T12:50:06.341643100Z", "original": "{\"InterSystemsId\": \"61eb5713-2687-4c00-a7b2-fde4788c395b\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:29\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"80ccca67-54bd-44ab-8625-4b79c4dc7775\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"3db9a461-6dd1-4950-b3e3-fbe8c2d5c700\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"e94002d9-f6e8-46f9-8702-2a29e908e73d\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -3682,7 +3682,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667486700Z", + "ingested": "2021-06-09T12:50:06.341647800Z", "original": "{\"InterSystemsId\": \"61f81224-65fd-4c1b-b388-ee0e25485191\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:37\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"dc0cc415-9a00-470d-bda3-867e11fdd400\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"1ca4f684-3a34-44a8-99b8-064d1071768a\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -3820,7 +3820,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667493900Z", + "ingested": "2021-06-09T12:50:06.341652300Z", "original": "{\"InterSystemsId\": \"661f2330-3e04-483d-9781-caaa4543cc13\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:51:50\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"01c15486-46e2-487a-91f5-11445da0b600\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"3f6c8eb2-c64b-4dc5-b8fd-be252f8e09c2\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -3958,7 +3958,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667499900Z", + "ingested": "2021-06-09T12:50:06.341656800Z", "original": "{\"InterSystemsId\": \"68d7eaa4-aa57-4508-9792-09e80c911aa1\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:42\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"0f698dd4-f011-4d23-a33e-b36416dcb1e6\"}], \"ObjectId\": \"0f698dd4-f011-4d23-a33e-b36416dcb1e6\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"1590b91f-bffe-4cd8-9028-de52692f5400\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"b290b902-b6f2-49f6-b7f8-ea1541d85c8c\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -4095,7 +4095,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:47:50.667505900Z", + "ingested": "2021-06-09T12:50:06.341661400Z", "original": "{\"InterSystemsId\": \"6ae96167-2df2-425c-9f91-27e6345eb782\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:42:59\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"LogonError\": \"FlowTokenExpired\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"f54da4fe-0a54-45f3-b6ea-39f873eb6000\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"RequestType\", \"Value\": \"Login:login\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"b0c1c4a7-c6db-4f14-b628-54e37a7a6785\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -4234,7 +4234,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:47:50.667513100Z", + "ingested": "2021-06-09T12:50:06.341665500Z", "original": "{\"InterSystemsId\": \"6ae96167-2df2-425c-9f91-27e6345eb782\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:02\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"LogonError\": \"UserStrongAuthClientAuthNRequiredInterrupt\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Failed\", \"IntraSystemId\": \"7fa5e138-ac87-4063-a278-56c6c6965e00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"FlowTokenScenario\", \"Value\": \"Login\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"1\"}, {\"Name\": \"RequestType\", \"Value\": \"Login:login\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoginFailed\", \"Id\": \"82d834e4-f6f2-476a-902e-e1e9fd6f87d8\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -4360,7 +4360,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667519400Z", + "ingested": "2021-06-09T12:50:06.341669400Z", "original": "{\"InterSystemsId\": \"6b9a8662-857f-45e4-bbb2-d106d5aab41e\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:19\", \"Actor\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"Unknown\", \"UserType\": 5, \"UserKey\": \"Not Available\", \"ClientIP\": \"79.159.10.151\", \"LogonError\": \"None\", \"ApplicationId\": \"\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"0fee3b91-5e56-45f6-9b3c-792602b1e500\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Logout\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"e5e2c41a-55ea-4681-9d64-78ddd7145bd2\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -4495,7 +4495,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:47:50.667525200Z", + "ingested": "2021-06-09T12:50:06.341674100Z", "original": "{\"InterSystemsId\": \"6bab76a8-98bd-42e4-b722-a31fe81b030a\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:40\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"c3ebcde8-62f6-4cc4-8e0c-c11c08e76100\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"2a23206a-2f5d-4cb7-aeb8-f285d10e6f80\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -4621,7 +4621,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667533800Z", + "ingested": "2021-06-09T12:50:06.341678300Z", "original": "{\"InterSystemsId\": \"6fee997e-1b2a-4a95-a8be-ea85642ed652\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:30:58\", \"Actor\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"Unknown\", \"UserType\": 5, \"UserKey\": \"Not Available\", \"ClientIP\": \"83.57.233.151\", \"LogonError\": \"None\", \"ApplicationId\": \"\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"8b270c82-1240-4a0a-ac15-1e1116261400\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Logout\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"c0a0d198-825b-4e39-b868-0a7b0552b209\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -4757,7 +4757,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667540200Z", + "ingested": "2021-06-09T12:50:06.341682500Z", "original": "{\"InterSystemsId\": \"6fee997e-1b2a-4a95-a8be-ea85642ed652\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:31:33\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"LogonError\": \"UserStrongAuthClientAuthNRequiredInterrupt\", \"ApplicationId\": \"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\"}], \"ObjectId\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\", \"ModifiedProperties\": [], \"ResultStatus\": \"Failed\", \"IntraSystemId\": \"b0faaf7a-913e-4a93-8ccc-ecfaa2b42400\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"FlowTokenScenario\", \"Value\": \"Login\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"1\"}, {\"Name\": \"RequestType\", \"Value\": \"Login:login\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoginFailed\", \"Id\": \"52b07191-3887-40fb-a001-f4122b0851d1\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -4883,7 +4883,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667546200Z", + "ingested": "2021-06-09T12:50:06.341688600Z", "original": "{\"InterSystemsId\": \"6fee997e-1b2a-4a95-a8be-ea85642ed652\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:14:25\", \"Actor\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"Unknown\", \"UserType\": 5, \"UserKey\": \"Not Available\", \"ClientIP\": \"83.57.233.151\", \"LogonError\": \"None\", \"ApplicationId\": \"\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"d949d6c2-472e-4901-bd70-96cbfe534c00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Logout\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"c62fa78d-daab-494e-a638-8321ebd71b9e\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -5019,7 +5019,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667552100Z", + "ingested": "2021-06-09T12:50:06.341693100Z", "original": "{\"InterSystemsId\": \"6fee997e-1b2a-4a95-a8be-ea85642ed652\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:14:51\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"LogonError\": \"UserStrongAuthClientAuthNRequiredInterrupt\", \"ApplicationId\": \"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\"}], \"ObjectId\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\", \"ModifiedProperties\": [], \"ResultStatus\": \"Failed\", \"IntraSystemId\": \"42c7ec91-1e2f-4505-b728-3a165b244f00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"FlowTokenScenario\", \"Value\": \"Login\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"1\"}, {\"Name\": \"RequestType\", \"Value\": \"Login:login\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoginFailed\", \"Id\": \"73c76212-8120-4e21-a383-c80d8327b606\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -5157,7 +5157,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667558Z", + "ingested": "2021-06-09T12:50:06.341697100Z", "original": "{\"InterSystemsId\": \"6fee997e-1b2a-4a95-a8be-ea85642ed652\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:29:56\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\"}], \"ObjectId\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"8b8e8663-8a8c-4959-a692-e3eece085300\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"29f94716-3717-4671-962e-9c739b764f07\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -5295,7 +5295,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667563700Z", + "ingested": "2021-06-09T12:50:06.341701Z", "original": "{\"InterSystemsId\": \"6fee997e-1b2a-4a95-a8be-ea85642ed652\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:51:23\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\"}], \"ObjectId\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"361dd87e-3bc9-4f0a-b236-ed7365e28d00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"17d02385-1e30-45b7-949c-4d3dd549a0e7\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -5421,7 +5421,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667569700Z", + "ingested": "2021-06-09T12:50:06.341705Z", "original": "{\"InterSystemsId\": \"6fee997e-1b2a-4a95-a8be-ea85642ed652\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:39:45\", \"Actor\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"Unknown\", \"UserType\": 5, \"UserKey\": \"Not Available\", \"ClientIP\": \"79.159.10.151\", \"LogonError\": \"None\", \"ApplicationId\": \"\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"32b4cec1-00eb-44ea-be73-adc82387db00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Logout\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"e3346dd0-ecf6-4676-8765-365c7370b6fe\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -5557,7 +5557,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667575600Z", + "ingested": "2021-06-09T12:50:06.341709Z", "original": "{\"InterSystemsId\": \"6fee997e-1b2a-4a95-a8be-ea85642ed652\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:40:16\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"LogonError\": \"UserStrongAuthClientAuthNRequiredInterrupt\", \"ApplicationId\": \"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\"}], \"ObjectId\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\", \"ModifiedProperties\": [], \"ResultStatus\": \"Failed\", \"IntraSystemId\": \"a063e495-5883-4837-8186-582817fdd500\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"FlowTokenScenario\", \"Value\": \"Login\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"1\"}, {\"Name\": \"RequestType\", \"Value\": \"Login:login\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoginFailed\", \"Id\": \"a772fd76-847f-4703-90f1-37eb81c9f392\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -5692,7 +5692,7 @@ "ip": "37.29.234.179" }, "event": { - "ingested": "2021-06-09T12:47:50.667581400Z", + "ingested": "2021-06-09T12:50:06.341712800Z", "original": "{\"InterSystemsId\": \"7766ac63-ae7f-43e6-868a-a5422a96fd8b\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-08T14:33:52\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"37.29.234.179\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"37.29.234.179\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"adc9d69c-8ae6-41c7-b685-331453060a00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"487e4f43-53db-4d6f-a314-5355746d4853\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -5830,7 +5830,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667587200Z", + "ingested": "2021-06-09T12:50:06.341717100Z", "original": "{\"InterSystemsId\": \"781c1055-e731-48ee-a806-c3f39ba160e3\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:53:24\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"e7fe21ea-ec03-46dd-b272-0a72ebbeac00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"41f6b2dc-4db6-444c-93d9-829a842b87e2\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -5968,7 +5968,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:47:50.667592900Z", + "ingested": "2021-06-09T12:50:06.341721200Z", "original": "{\"InterSystemsId\": \"82b07417-7b33-4531-952f-d3f719e2356a\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:22\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"00000002-0000-0ff1-ce00-000000000000\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0ff1-ce00-000000000000\"}], \"ObjectId\": \"00000002-0000-0ff1-ce00-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"280b3410-9d51-4ce3-952d-5bba0bea6600\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"ec9fa29b-6201-456d-b228-ca1759e0bf6c\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -6094,7 +6094,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667598600Z", + "ingested": "2021-06-09T12:50:06.341725200Z", "original": "{\"InterSystemsId\": \"8571fe85-eb4a-430d-b468-97900e344923\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-06T09:28:04\", \"Actor\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"Unknown\", \"UserType\": 5, \"UserKey\": \"Not Available\", \"ClientIP\": \"83.57.233.151\", \"LogonError\": \"None\", \"ApplicationId\": \"\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"d239e473-6687-4ff9-ac65-0e3c59961600\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Logout\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"e988fd90-2eff-4ad7-9f02-030a9d73ad6e\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -6229,7 +6229,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667604400Z", + "ingested": "2021-06-09T12:50:06.341729Z", "original": "{\"InterSystemsId\": \"8d662bc0-0011-424d-a7dc-56bfc5a142b4\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:35\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"00000002-0000-0ff1-ce00-000000000000\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0ff1-ce00-000000000000\"}], \"ObjectId\": \"00000002-0000-0ff1-ce00-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"d0a4e1ed-206d-4602-aaae-406a02c5c300\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"3cbf15a5-84d0-4b0e-ba8e-c3ed43477293\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -6367,7 +6367,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667610100Z", + "ingested": "2021-06-09T12:50:06.341733100Z", "original": "{\"InterSystemsId\": \"9270f20a-56f2-493e-b6a7-a859adcaf626\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:36\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"00000002-0000-0ff1-ce00-000000000000\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0ff1-ce00-000000000000\"}], \"ObjectId\": \"00000002-0000-0ff1-ce00-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"97aa710f-536f-44c8-a8d5-711dc55f5500\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"d2bb7eae-bc6e-42d2-b270-a885ec626235\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -6505,7 +6505,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667615900Z", + "ingested": "2021-06-09T12:50:06.341737100Z", "original": "{\"InterSystemsId\": \"97c52753-c410-438f-89e2-22741e5ccc6a\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:51:49\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"c9ef5d5f-e3af-4669-b465-921d8b58bd00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"03de6d95-b955-451c-8311-473b6853d774\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -6643,7 +6643,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:47:50.667621400Z", + "ingested": "2021-06-09T12:50:06.341741100Z", "original": "{\"InterSystemsId\": \"9e0a494b-0db0-4481-a70e-eea6124b7018\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:37\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"e48d4214-364e-4731-b2b6-47dabf529218\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000004-0000-0ff1-ce00-000000000000\"}], \"ObjectId\": \"00000004-0000-0ff1-ce00-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"e7a84bcf-41ff-4953-8e99-fb1820685f00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"ac8fcffb-7c44-498d-ad6b-24b85a3a1b59\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -6781,7 +6781,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667627100Z", + "ingested": "2021-06-09T12:50:06.341744900Z", "original": "{\"InterSystemsId\": \"9fc4af4c-bf19-4f88-92ac-0fd029ca21bd\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:36\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"56fa424b-64bd-4ea5-abc4-38256f8a5600\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"880fb7bc-5708-42d1-86a8-760c32ac5e6b\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -6919,7 +6919,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667632800Z", + "ingested": "2021-06-09T12:50:06.341748900Z", "original": "{\"InterSystemsId\": \"a35e980b-88be-4343-9691-629473e01983\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:37\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"78a2aa65-5026-4124-970a-00e06dc7df00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"30c7afcc-f74d-4b5a-898e-ce72da9386b8\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -7057,7 +7057,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667638600Z", + "ingested": "2021-06-09T12:50:06.341752600Z", "original": "{\"InterSystemsId\": \"a89e9b3b-b394-4ecf-8abc-a3f6aaf9237f\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-06T09:28:00\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"bfe22fb6-c763-4972-91a7-5b13d3d51400\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"d4f90f07-f5c4-4b36-a81c-6c9bae8660d6\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -7195,7 +7195,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667644300Z", + "ingested": "2021-06-09T12:50:06.341756500Z", "original": "{\"InterSystemsId\": \"aca3d9a3-792d-4357-87c6-ef50c3215baa\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:28:52\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"f67a1615-4606-4673-b6fb-68f714fa2200\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"d2ad235b-d73f-4bd8-8aef-6e4909ee1b7c\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -7333,7 +7333,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667650100Z", + "ingested": "2021-06-09T12:50:06.341760200Z", "original": "{\"InterSystemsId\": \"ae211253-88cf-4921-9014-2f9beab64fb0\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:37\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"ccfec0f3-498b-43b1-a4c0-fb42f0fb5300\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"8ff18278-32ca-49d1-8658-91e577e0854f\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -7471,7 +7471,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667655500Z", + "ingested": "2021-06-09T12:50:06.341764200Z", "original": "{\"InterSystemsId\": \"b3997fcc-6b0e-45b1-b88d-b4ee4a8a7ddc\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:28:52\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"c1ffa732-6576-4f86-9294-44387abc1f00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"a3939990-f7b4-4dc5-af4d-42b70a9485ea\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -7609,7 +7609,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667661200Z", + "ingested": "2021-06-09T12:50:06.341768100Z", "original": "{\"InterSystemsId\": \"b3ab6d58-7b90-45d6-95e3-ee11333ebc34\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:01\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"d949d6c2-472e-4901-bd70-96cb90424c00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"61ba70f4-bd75-4bc2-a681-2e219d920e63\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -7747,7 +7747,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667666900Z", + "ingested": "2021-06-09T12:50:06.341772Z", "original": "{\"InterSystemsId\": \"b5c5fd00-b659-413e-8739-6271a4d70506\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:53:12\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"80ccca67-54bd-44ab-8625-4b79c4dc7775\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000002-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000002-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"fabbe34e-a6dd-46f8-805f-4ca633c2ae00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"3e17bf8e-92de-45b6-b668-7618ab0e0c95\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -7885,7 +7885,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667672600Z", + "ingested": "2021-06-09T12:50:06.341775900Z", "original": "{\"InterSystemsId\": \"b744259e-13e0-43d7-9f56-82cdbd54cf7c\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:52:06\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"ce9f104d-1a1b-488e-9313-b9729e99c400\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"f100d714-ffa2-4077-bf90-2f57a3b366c0\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -8020,7 +8020,7 @@ "ip": "37.29.234.179" }, "event": { - "ingested": "2021-06-09T12:47:50.667678100Z", + "ingested": "2021-06-09T12:50:06.341779500Z", "original": "{\"InterSystemsId\": \"b7d9a234-9fdd-4e36-9cf3-fd825f22697a\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-08T14:33:50\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"37.29.234.179\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"37.29.234.179\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"49092519-a590-4207-b1b3-1d49f9100a00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"4b0f0d57-0766-4621-8aa0-04b8d8b63a78\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -8158,7 +8158,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667683700Z", + "ingested": "2021-06-09T12:50:06.341783400Z", "original": "{\"InterSystemsId\": \"bb677f9e-953a-4bde-bb91-0ef8209200a1\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:38\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"1da3c318-642f-48dc-836b-e83b27655b00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"8d9a1fa8-7b85-4c5d-9e96-5728d572fb95\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -8296,7 +8296,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:47:50.667689400Z", + "ingested": "2021-06-09T12:50:06.341787200Z", "original": "{\"InterSystemsId\": \"c355f078-53d7-4d60-b836-851a09a98208\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:05\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"20e56367-e902-4200-855b-2ef7b99e5f00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"9756fe5b-ea0d-42fa-a665-be8e0eb100e5\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -8434,7 +8434,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667695Z", + "ingested": "2021-06-09T12:50:06.341791Z", "original": "{\"InterSystemsId\": \"c5874ff2-7c53-4d51-9252-7abbf0524b1c\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:28:51\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"3188aef9-6b4e-44f2-8455-c28b49552200\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"abbf584f-b3a9-4b6d-9b37-4cc4b802ca4d\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -8572,7 +8572,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667700600Z", + "ingested": "2021-06-09T12:50:06.341794800Z", "original": "{\"InterSystemsId\": \"cf2168a1-6537-4ed6-80a5-797c3458180c\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:25:21\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"00000003-0000-0000-c000-000000000000\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"23f53edd-63a7-4292-9d80-4fbc49c11e00\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"d137a5e4-7004-493a-acca-5fb167d1f207\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -8710,7 +8710,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667706400Z", + "ingested": "2021-06-09T12:50:06.341798700Z", "original": "{\"InterSystemsId\": \"d21f6867-0670-4c94-b6fa-bde326fcf3c6\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:20\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"79.159.10.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"79.159.10.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"1fa4819f-605a-4ebe-a2c3-bc11c3f8e200\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"False\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"73f0a2ef-35be-4a71-9545-59d879fc8fb2\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -8848,7 +8848,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:47:50.667712100Z", + "ingested": "2021-06-09T12:50:06.341802800Z", "original": "{\"InterSystemsId\": \"d5effb7f-9d39-4893-90f6-9cfeec7ed1a7\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:02\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"f22a3ad7-22e7-4296-a600-e4e9161a6000\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"3783acda-5ded-4d69-95b6-3df5344c0ce0\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -8986,7 +8986,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:47:50.667723800Z", + "ingested": "2021-06-09T12:50:06.341806800Z", "original": "{\"InterSystemsId\": \"d960e058-1adb-4a84-a65b-1a6ce367e323\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:03\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"1dfdb693-18a1-4cff-aa3e-61feaa356100\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"f67568b1-64c4-4165-bdd9-16a5b9142eef\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -9124,7 +9124,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667730200Z", + "ingested": "2021-06-09T12:50:06.341810800Z", "original": "{\"InterSystemsId\": \"e2565aaf-91b0-4ccd-8810-743123eb7383\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:29:02\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"21166e08-6589-4c2d-a325-c97ba45f2200\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"a8114a24-d342-4689-b75e-51e6386763de\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -9262,7 +9262,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:50.667736Z", + "ingested": "2021-06-09T12:50:06.341814700Z", "original": "{\"InterSystemsId\": \"ede626b9-2035-4d02-8330-201c4ae82af6\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:25:21\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\"}], \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"98612804-9aa6-40a4-b72a-808bc7742000\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"1eaf9c65-8c67-4cd9-9277-771589113752\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -9400,7 +9400,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:47:50.667741600Z", + "ingested": "2021-06-09T12:50:06.341818900Z", "original": "{\"InterSystemsId\": \"fc5c6c90-a6ba-486c-b685-8d67c529d3aa\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:43:39\", \"Actor\": [{\"Type\": 0, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 15, \"ActorIpAddress\": \"213.97.47.133\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"213.97.47.133\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 0, \"ID\": \"Unknown\"}], \"ObjectId\": \"Unknown\", \"ModifiedProperties\": [], \"ResultStatus\": \"Succeeded\", \"IntraSystemId\": \"6e184f6f-887b-4410-b24d-723031366000\", \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"9\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"UserLoggedIn\", \"Id\": \"3c439e46-d454-4767-9320-1e75540821b7\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread.log-expected.json index 8e166c0b102..7074fa92f7c 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread.log-expected.json @@ -164,7 +164,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355507900Z", + "ingested": "2021-06-09T12:50:10.080353700Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:33:26\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"528b5206-f6de-4c1f-86db-5f750a9960c9\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:33:26.1037807Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38438635\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"8f6eb24b-6e61-4ee2-a376-31368c300613\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -353,7 +353,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355527200Z", + "ingested": "2021-06-09T12:50:10.080371400Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:33:26\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"NewValue\": \"RequiredResourceAccess\", \"OldValue\": \"\", \"Name\": \"Included Updated Properties\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"528b5206-f6de-4c1f-86db-5f750a9960c9\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:33:26.1037807Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38438635\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"8f6eb24b-6e61-4ee2-a376-31368c300613\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -542,7 +542,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355532200Z", + "ingested": "2021-06-09T12:50:10.080391300Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:33:26\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"Name\": \"RequiredResourceAccess\"}, {\"NewValue\": \"RequiredResourceAccess\", \"OldValue\": \"\", \"Name\": \"Included Updated Properties\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"528b5206-f6de-4c1f-86db-5f750a9960c9\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:33:26.1037807Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38438635\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"8f6eb24b-6e61-4ee2-a376-31368c300613\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -740,7 +740,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355535900Z", + "ingested": "2021-06-09T12:50:10.080397Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:33:26\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem\"}, {\"Type\": 2, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Type\": 4, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ObjectId\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"ModifiedProperties\": [{\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"528b5206-f6de-4c1f-86db-5f750a9960c9\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:33:26.1638042Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38438642\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"b2cc2456-5ac5-4399-b960-82a40036476f\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -938,7 +938,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355539400Z", + "ingested": "2021-06-09T12:50:10.080401200Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:33:26\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem\"}, {\"Type\": 2, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Type\": 4, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ObjectId\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"ModifiedProperties\": [{\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"528b5206-f6de-4c1f-86db-5f750a9960c9\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:33:26.1638042Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38438642\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"b2cc2456-5ac5-4399-b960-82a40036476f\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -1149,7 +1149,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355542800Z", + "ingested": "2021-06-09T12:50:10.080404900Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"ac045271-8d7f-49b2-abc9-5130051d879f\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:06.3062012Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38464425\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"7f09b681-251f-4ff0-97cf-5247891b6981\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -1360,7 +1360,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355546Z", + "ingested": "2021-06-09T12:50:10.080408800Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"ac045271-8d7f-49b2-abc9-5130051d879f\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:06.3062012Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38464434\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"d8a2ae24-a752-4f8e-adca-c57189a76a71\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -1571,7 +1571,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355550100Z", + "ingested": "2021-06-09T12:50:10.080412100Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"ac045271-8d7f-49b2-abc9-5130051d879f\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:06.3062012Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38464425\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"7f09b681-251f-4ff0-97cf-5247891b6981\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -1782,7 +1782,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355554700Z", + "ingested": "2021-06-09T12:50:10.080415300Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"ac045271-8d7f-49b2-abc9-5130051d879f\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:06.3062012Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38464434\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"d8a2ae24-a752-4f8e-adca-c57189a76a71\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -1993,7 +1993,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355558400Z", + "ingested": "2021-06-09T12:50:10.080419800Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"ac045271-8d7f-49b2-abc9-5130051d879f\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:06.3062012Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"31CXC\"}, {\"Name\": \"env_seqNum\", \"Value\": \"38464425\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR556\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"7f09b681-251f-4ff0-97cf-5247891b6981\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -2204,7 +2204,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355561700Z", + "ingested": "2021-06-09T12:50:10.080424200Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:47\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"d37460cd-3d19-4ae9-9515-015f27036e74\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:47.4999796Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FYE60\"}, {\"Name\": \"env_seqNum\", \"Value\": \"51372061\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"02868191-019a-453a-a3a9-a21f44898778\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -2415,7 +2415,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355565100Z", + "ingested": "2021-06-09T12:50:10.080428500Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:47\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"d37460cd-3d19-4ae9-9515-015f27036e74\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:47.4999796Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FYE60\"}, {\"Name\": \"env_seqNum\", \"Value\": \"51372061\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"02868191-019a-453a-a3a9-a21f44898778\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -2626,7 +2626,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355568200Z", + "ingested": "2021-06-09T12:50:10.080432Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:47\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"d37460cd-3d19-4ae9-9515-015f27036e74\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:47.4999796Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FYE60\"}, {\"Name\": \"env_seqNum\", \"Value\": \"51372052\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -2837,7 +2837,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355571800Z", + "ingested": "2021-06-09T12:50:10.080435300Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:47\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"d37460cd-3d19-4ae9-9515-015f27036e74\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:47.4999796Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FYE60\"}, {\"Name\": \"env_seqNum\", \"Value\": \"51372061\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"02868191-019a-453a-a3a9-a21f44898778\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -3048,7 +3048,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355575100Z", + "ingested": "2021-06-09T12:50:10.080438600Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:47\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.AppId\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"d37460cd-3d19-4ae9-9515-015f27036e74\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:47.4999796Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FYE60\"}, {\"Name\": \"env_seqNum\", \"Value\": \"51372052\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -3259,7 +3259,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355578300Z", + "ingested": "2021-06-09T12:50:10.080442400Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:47\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.AppId\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"d37460cd-3d19-4ae9-9515-015f27036e74\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:47.4999796Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FYE60\"}, {\"Name\": \"env_seqNum\", \"Value\": \"51372052\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -3470,7 +3470,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355582300Z", + "ingested": "2021-06-09T12:50:10.080446500Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:47\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"d37460cd-3d19-4ae9-9515-015f27036e74\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:47.4999796Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FYE60\"}, {\"Name\": \"env_seqNum\", \"Value\": \"51372061\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"02868191-019a-453a-a3a9-a21f44898778\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -3681,7 +3681,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355585700Z", + "ingested": "2021-06-09T12:50:10.080450Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:47\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"d37460cd-3d19-4ae9-9515-015f27036e74\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:47.4999796Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FYE60\"}, {\"Name\": \"env_seqNum\", \"Value\": \"51372052\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -3870,7 +3870,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355589100Z", + "ingested": "2021-06-09T12:50:10.080457400Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:52\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"5345f95e-44e0-48fc-823c-8206ff821338\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:52.5873254Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FQXLK\"}, {\"Name\": \"env_seqNum\", \"Value\": \"42492828\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR565\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"fe115c66-3e08-4ab4-8a00-84ae25a59078\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -4059,7 +4059,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355592200Z", + "ingested": "2021-06-09T12:50:10.080461200Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:52\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"Name\": \"RequiredResourceAccess\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"5345f95e-44e0-48fc-823c-8206ff821338\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:52.5873254Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FQXLK\"}, {\"Name\": \"env_seqNum\", \"Value\": \"42492828\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR565\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"fe115c66-3e08-4ab4-8a00-84ae25a59078\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -4257,7 +4257,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355595500Z", + "ingested": "2021-06-09T12:50:10.080464600Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T15:34:52\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem\"}, {\"Type\": 2, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Type\": 4, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ObjectId\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"ModifiedProperties\": [{\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"5345f95e-44e0-48fc-823c-8206ff821338\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T15:34:52.6473040Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"FQXLK\"}, {\"Name\": \"env_seqNum\", \"Value\": \"42492835\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR565\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"76f9b173-c35c-4dbb-b5f7-64750ae994ce\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -4446,7 +4446,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355598700Z", + "ingested": "2021-06-09T12:50:10.080467900Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:25:54\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"51e48c97-80b1-42bb-b732-8b578dfac528\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:25:54.7174137Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"73AB6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43793182\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR575\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -4635,7 +4635,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355601900Z", + "ingested": "2021-06-09T12:50:10.080471400Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:25:54\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"NewValue\": \"RequiredResourceAccess\", \"OldValue\": \"\", \"Name\": \"Included Updated Properties\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"51e48c97-80b1-42bb-b732-8b578dfac528\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:25:54.7174137Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"73AB6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43793182\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR575\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -4824,7 +4824,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355605300Z", + "ingested": "2021-06-09T12:50:10.080474900Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:25:54\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"Name\": \"RequiredResourceAccess\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"08d8bb01-c269-4a92-9929-a1a89b729512\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"51e48c97-80b1-42bb-b732-8b578dfac528\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:25:54.7174137Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"73AB6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43793182\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR575\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -5022,7 +5022,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355608500Z", + "ingested": "2021-06-09T12:50:10.080478Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:25:54\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem\"}, {\"Type\": 2, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Type\": 4, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ObjectId\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"ModifiedProperties\": [{\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"51e48c97-80b1-42bb-b732-8b578dfac528\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:25:54.7823970Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"73AB6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43793206\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR575\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"606ae654-e71e-4a6b-a07c-85acd775667b\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -5233,7 +5233,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355611900Z", + "ingested": "2021-06-09T12:50:10.080481100Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:05\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:05.9242333Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795815\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"14f7e7eb-0fd1-4f89-bda8-642d035f3541\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -5444,7 +5444,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355615200Z", + "ingested": "2021-06-09T12:50:10.080484600Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:05\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:05.9992570Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795878\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"41c7d7a7-ce53-4696-aa78-37c451a95fe1\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -5655,7 +5655,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355618700Z", + "ingested": "2021-06-09T12:50:10.080488100Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:05\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:05.9242333Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795815\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"14f7e7eb-0fd1-4f89-bda8-642d035f3541\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -5866,7 +5866,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355622200Z", + "ingested": "2021-06-09T12:50:10.080491400Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:05\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:05.9992570Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795878\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"41c7d7a7-ce53-4696-aa78-37c451a95fe1\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -6077,7 +6077,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355625600Z", + "ingested": "2021-06-09T12:50:10.080494700Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:05\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:05.9242333Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795815\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"14f7e7eb-0fd1-4f89-bda8-642d035f3541\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -6288,7 +6288,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355628800Z", + "ingested": "2021-06-09T12:50:10.080498Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:05\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:05.9992570Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795878\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"41c7d7a7-ce53-4696-aa78-37c451a95fe1\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -6499,7 +6499,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355632Z", + "ingested": "2021-06-09T12:50:10.080501200Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:05\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:05.9992570Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795878\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"41c7d7a7-ce53-4696-aa78-37c451a95fe1\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -6710,7 +6710,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355635300Z", + "ingested": "2021-06-09T12:50:10.080504400Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:05\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:05.9242333Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795815\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"14f7e7eb-0fd1-4f89-bda8-642d035f3541\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -6924,7 +6924,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355638400Z", + "ingested": "2021-06-09T12:50:10.080507700Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem\"}, {\"Type\": 2, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Type\": 4, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ObjectId\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"ModifiedProperties\": [{\"Name\": \"ConsentContext.IsAdminConsent\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"Name\": \"ConsentContext.IsAppOnly\", \"OldValue\": \"\", \"NewValue\": \"False\"}, {\"Name\": \"ConsentContext.OnBehalfOfAll\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"Name\": \"ConsentContext.Tags\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ConsentAction.Permissions\", \"OldValue\": \"\", \"NewValue\": \"[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:06.0142481Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795893\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Consent to application.\", \"Id\": \"821dc03c-4e38-4cd1-82b2-3155b41b4418\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -7138,7 +7138,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355641700Z", + "ingested": "2021-06-09T12:50:10.080511200Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-09T18:26:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem\"}, {\"Type\": 2, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Type\": 4, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ObjectId\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"ModifiedProperties\": [{\"Name\": \"ConsentContext.IsAdminConsent\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"NewValue\": \"False\", \"OldValue\": \"\", \"Name\": \"ConsentContext.IsAppOnly\"}, {\"Name\": \"ConsentContext.OnBehalfOfAll\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"Name\": \"ConsentContext.Tags\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ConsentAction.Permissions\", \"OldValue\": \"\", \"NewValue\": \"[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"206711cb-0722-49cc-a9ad-af7f34da9452\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-09T18:26:06.0142481Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"0871Y\"}, {\"Name\": \"env_seqNum\", \"Value\": \"46795893\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR530\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Consent to application.\", \"Id\": \"821dc03c-4e38-4cd1-82b2-3155b41b4418\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -7302,7 +7302,7 @@ }, "client": {}, "event": { - "ingested": "2021-06-09T12:47:54.355645Z", + "ingested": "2021-06-09T12:50:10.080514400Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:15:04\", \"Actor\": [{\"Type\": 5, \"ID\": \"fim_password_service@support.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"100300008060F582\"}, {\"Type\": 2, \"ID\": \"User_00000000-0000-0000-0000-000000000000\"}, {\"Type\": 2, \"ID\": \"00000000-0000-0000-0000-000000000000\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"d51ef8df-6617-4356-b8d4-89ad7efef31e\", \"RecordType\": 8, \"ActorIpAddress\": \"\", \"UserId\": \"fim_password_service@support.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"100300008060F582@support.onmicrosoft.com\", \"ClientIP\": \"\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"ObjectId\": \"asr@testsiem.onmicrosoft.com\", \"ModifiedProperties\": [{\"Name\": \"StrongAuthenticationPhoneAppDetail\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"DeviceName\\\": \\\"NO_DEVICE\\\",\\r\\n \\\"DeviceToken\\\": \\\"NO_DEVICE_TOKEN\\\",\\r\\n \\\"DeviceTag\\\": \\\"SoftwareTokenActivated\\\",\\r\\n \\\"PhoneAppVersion\\\": \\\"NO_PHONE_APP_VERSION\\\",\\r\\n \\\"OathTokenTimeDrift\\\": 0,\\r\\n \\\"DeviceId\\\": null,\\r\\n \\\"Id\\\": \\\"3b539b10-3846-4f9b-877d-55b0b8e76147\\\",\\r\\n \\\"TimeInterval\\\": null,\\r\\n \\\"AuthenticationType\\\": 2,\\r\\n \\\"NotificationType\\\": 1,\\r\\n \\\"SecuredPartitionId\\\": 0,\\r\\n \\\"SecuredKeyId\\\": 0\\r\\n }\\r\\n]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"DeviceName\\\": \\\"NO_DEVICE\\\",\\r\\n \\\"DeviceToken\\\": \\\"NO_DEVICE_TOKEN\\\",\\r\\n \\\"DeviceTag\\\": \\\"SoftwareTokenActivated\\\",\\r\\n \\\"PhoneAppVersion\\\": \\\"NO_PHONE_APP_VERSION\\\",\\r\\n \\\"OathTokenTimeDrift\\\": -1,\\r\\n \\\"DeviceId\\\": null,\\r\\n \\\"Id\\\": \\\"3b539b10-3846-4f9b-877d-55b0b8e76147\\\",\\r\\n \\\"TimeInterval\\\": null,\\r\\n \\\"AuthenticationType\\\": 2,\\r\\n \\\"NotificationType\\\": 1,\\r\\n \\\"SecuredPartitionId\\\": 0,\\r\\n \\\"SecuredKeyId\\\": 0\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"StrongAuthenticationPhoneAppDetail\"}, {\"Name\": \"TargetId.UserType\", \"OldValue\": \"\", \"NewValue\": \"Member\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"d51ef8df-6617-4356-b8d4-89ad7efef31e\"}, {\"Name\": \"actorObjectId\", \"Value\": \"00000000-0000-0000-0000-000000000000\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"fim_password_service@support.onmicrosoft.com\"}, {\"Name\": \"actorPUID\", \"Value\": \"100300008060F582\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"User\"}, {\"Name\": \"targetUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"targetPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"StrongAuthenticationPhoneAppDetail\\\",\\\"TargetId.UserType\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"4aa56c6c-8fa5-4787-a165-03f181541438\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"UserType\\\":\\\"Member\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"UserManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:15:04.2043419Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"4QPHR\"}, {\"Name\": \"env_seqNum\", \"Value\": \"87075075\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"becwebservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"becwebservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RBWSR554\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update user.\", \"Id\": \"83c924c1-f2e2-4b39-8eda-b80c3823a875\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -7519,7 +7519,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355648300Z", + "ingested": "2021-06-09T12:50:10.080517500Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:16:18\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"NewValue\": \"\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2e358876-29c8-45b5-8dba-e233cf769988\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:16:18.9844570Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"Z4XUI\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43649666\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR581\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove OAuth2PermissionGrant.\", \"Id\": \"ec6ba716-ec04-460a-8d9e-661d732c4689\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -7730,7 +7730,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355651500Z", + "ingested": "2021-06-09T12:50:10.080520900Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:16:18\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"NewValue\": \"\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.AppId\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2e358876-29c8-45b5-8dba-e233cf769988\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:16:18.9844570Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"Z4XUI\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43649666\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR581\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove OAuth2PermissionGrant.\", \"Id\": \"ec6ba716-ec04-460a-8d9e-661d732c4689\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -7941,7 +7941,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355654900Z", + "ingested": "2021-06-09T12:50:10.080524300Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:16:18\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2e358876-29c8-45b5-8dba-e233cf769988\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:16:18.9844570Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"Z4XUI\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43649666\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR581\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove OAuth2PermissionGrant.\", \"Id\": \"ec6ba716-ec04-460a-8d9e-661d732c4689\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -8152,7 +8152,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355658100Z", + "ingested": "2021-06-09T12:50:10.080527600Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:00\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"b2484c3c-5461-43ab-850b-70fccf706796\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:00.2133065Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"OLE3R\"}, {\"Name\": \"env_seqNum\", \"Value\": \"55908032\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR551\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"31d7436e-85aa-4aee-a945-6a0ff51ea975\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -8363,7 +8363,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355661200Z", + "ingested": "2021-06-09T12:50:10.080531100Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:00\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"b2484c3c-5461-43ab-850b-70fccf706796\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:00.2133065Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"OLE3R\"}, {\"Name\": \"env_seqNum\", \"Value\": \"55908041\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR551\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -8574,7 +8574,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355664400Z", + "ingested": "2021-06-09T12:50:10.080534500Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:00\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"b2484c3c-5461-43ab-850b-70fccf706796\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:00.2133065Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"OLE3R\"}, {\"Name\": \"env_seqNum\", \"Value\": \"55908032\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR551\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"31d7436e-85aa-4aee-a945-6a0ff51ea975\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -8785,7 +8785,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355667500Z", + "ingested": "2021-06-09T12:50:10.080538100Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:00\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"b2484c3c-5461-43ab-850b-70fccf706796\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:00.2133065Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"OLE3R\"}, {\"Name\": \"env_seqNum\", \"Value\": \"55908041\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR551\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -8996,7 +8996,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355670600Z", + "ingested": "2021-06-09T12:50:10.080541600Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:00\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.AppId\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"b2484c3c-5461-43ab-850b-70fccf706796\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:00.2133065Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"OLE3R\"}, {\"Name\": \"env_seqNum\", \"Value\": \"55908041\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR551\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -9207,7 +9207,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355673800Z", + "ingested": "2021-06-09T12:50:10.080544800Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2f79971d-1802-40d2-b048-6cf4f85c010b\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:45.3474390Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"95CEL\"}, {\"Name\": \"env_seqNum\", \"Value\": \"44735117\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR519\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"227bc85c-0c21-4df3-9e11-3a24f104e1e4\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -9418,7 +9418,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355677Z", + "ingested": "2021-06-09T12:50:10.080548100Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2f79971d-1802-40d2-b048-6cf4f85c010b\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:45.3474390Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"95CEL\"}, {\"Name\": \"env_seqNum\", \"Value\": \"44735126\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR519\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"a385881d-d5e8-47b0-83ea-d50d6c9906e4\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -9629,7 +9629,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355680100Z", + "ingested": "2021-06-09T12:50:10.080551500Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2f79971d-1802-40d2-b048-6cf4f85c010b\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:45.3474390Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"95CEL\"}, {\"Name\": \"env_seqNum\", \"Value\": \"44735126\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR519\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"a385881d-d5e8-47b0-83ea-d50d6c9906e4\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -9840,7 +9840,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355683600Z", + "ingested": "2021-06-09T12:50:10.080554700Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2f79971d-1802-40d2-b048-6cf4f85c010b\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:45.3474390Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"95CEL\"}, {\"Name\": \"env_seqNum\", \"Value\": \"44735117\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR519\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"227bc85c-0c21-4df3-9e11-3a24f104e1e4\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -10051,7 +10051,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355686700Z", + "ingested": "2021-06-09T12:50:10.080557900Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2f79971d-1802-40d2-b048-6cf4f85c010b\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:45.3474390Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"95CEL\"}, {\"Name\": \"env_seqNum\", \"Value\": \"44735117\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR519\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Remove app role assignment from service principal.\", \"Id\": \"227bc85c-0c21-4df3-9e11-3a24f104e1e4\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -10262,7 +10262,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355689900Z", + "ingested": "2021-06-09T12:50:10.080561300Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2f79971d-1802-40d2-b048-6cf4f85c010b\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:45.3474390Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"95CEL\"}, {\"Name\": \"env_seqNum\", \"Value\": \"44735126\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR519\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"a385881d-d5e8-47b0-83ea-d50d6c9906e4\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -10473,7 +10473,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355693Z", + "ingested": "2021-06-09T12:50:10.080564700Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:17:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.AppId\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"2f79971d-1802-40d2-b048-6cf4f85c010b\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:17:45.3474390Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"95CEL\"}, {\"Name\": \"env_seqNum\", \"Value\": \"44735126\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR519\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add a deletion-marked app role assignment grant to service principal as part of link removal.\", \"Id\": \"a385881d-d5e8-47b0-83ea-d50d6c9906e4\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -10687,7 +10687,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355696300Z", + "ingested": "2021-06-09T12:50:10.080568Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem\"}, {\"Type\": 2, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Type\": 4, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ObjectId\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"ModifiedProperties\": [{\"Name\": \"ConsentContext.IsAdminConsent\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"Name\": \"ConsentContext.IsAppOnly\", \"OldValue\": \"\", \"NewValue\": \"False\"}, {\"Name\": \"ConsentContext.OnBehalfOfAll\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"Name\": \"ConsentContext.Tags\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ConsentAction.Permissions\", \"OldValue\": \"\", \"NewValue\": \"[] =\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.3393756Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43118027\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Consent to application.\", \"Id\": \"0031778a-80cf-49f8-aea2-f798c9bf1ec9\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -10901,7 +10901,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355699600Z", + "ingested": "2021-06-09T12:50:10.080571400Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem\"}, {\"Type\": 2, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Type\": 4, \"ID\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ObjectId\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\", \"ModifiedProperties\": [{\"Name\": \"ConsentContext.IsAdminConsent\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"Name\": \"ConsentContext.IsAppOnly\", \"OldValue\": \"\", \"NewValue\": \"False\"}, {\"NewValue\": \"True\", \"OldValue\": \"\", \"Name\": \"ConsentContext.OnBehalfOfAll\"}, {\"Name\": \"ConsentContext.Tags\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ConsentAction.Permissions\", \"OldValue\": \"\", \"NewValue\": \"[] =\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"targetName\", \"Value\": \"siem\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.3393756Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43118027\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Consent to application.\", \"Id\": \"0031778a-80cf-49f8-aea2-f798c9bf1ec9\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -11112,7 +11112,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355702600Z", + "ingested": "2021-06-09T12:50:10.080574500Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.3343965Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43118019\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add OAuth2PermissionGrant.\", \"Id\": \"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -11323,7 +11323,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355706200Z", + "ingested": "2021-06-09T12:50:10.080578100Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.3343965Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43118019\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add OAuth2PermissionGrant.\", \"Id\": \"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -11534,7 +11534,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355709400Z", + "ingested": "2021-06-09T12:50:10.080581400Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.3343965Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43118019\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add OAuth2PermissionGrant.\", \"Id\": \"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -11745,7 +11745,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355712700Z", + "ingested": "2021-06-09T12:50:10.080584900Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"NewValue\": \"\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.AppId\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.3343965Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43118019\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add OAuth2PermissionGrant.\", \"Id\": \"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -11956,7 +11956,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355732900Z", + "ingested": "2021-06-09T12:50:10.080589100Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.1843731Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43117912\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"678f80a3-92c4-4bb6-83a1-1c39d5a87225\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -12167,7 +12167,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355739300Z", + "ingested": "2021-06-09T12:50:10.080594300Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.2593808Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43117959\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"a73c1c7e-5591-4912-94cc-527ad6f48ed8\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -12378,7 +12378,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355743900Z", + "ingested": "2021-06-09T12:50:10.080597600Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.2593808Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43117959\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"a73c1c7e-5591-4912-94cc-527ad6f48ed8\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -12589,7 +12589,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355747700Z", + "ingested": "2021-06-09T12:50:10.080600800Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\"}, {\"NewValue\": \"siem\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.1843731Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43117912\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"678f80a3-92c4-4bb6-83a1-1c39d5a87225\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -12800,7 +12800,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355751700Z", + "ingested": "2021-06-09T12:50:10.080604700Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:30:06\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"NewValue\": \"5c242833-909c-4c6b-bca3-50feaaa98d23\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"71a0194b-b70c-44a6-82f2-d4670aee4585\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"654d7080-aee6-4826-abd9-c5710b336614\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-10T15:30:06.1843731Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"38FW7\"}, {\"Name\": \"env_seqNum\", \"Value\": \"43117912\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR57\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"678f80a3-92c4-4bb6-83a1-1c39d5a87225\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -13001,7 +13001,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355755200Z", + "ingested": "2021-06-09T12:50:10.080608Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:36:30\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"AppId\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"Name\": \"AvailableToOtherTenants\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n false\\r\\n]\"}, {\"Name\": \"DisplayName\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"siem2\\\"\\r\\n]\"}, {\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"484659af-7387-4b77-b889-c4d2a8060004\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:36:30.6833528Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"SDA9U\"}, {\"Name\": \"env_seqNum\", \"Value\": \"41554400\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR521\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add application.\", \"Id\": \"689aaff0-b34f-4077-9244-0563b9f9c03b\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -13202,7 +13202,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355758500Z", + "ingested": "2021-06-09T12:50:10.080611400Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:36:30\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"AppId\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"Name\": \"AvailableToOtherTenants\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n false\\r\\n]\"}, {\"Name\": \"DisplayName\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"siem2\\\"\\r\\n]\"}, {\"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"RequiredResourceAccess\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"484659af-7387-4b77-b889-c4d2a8060004\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:36:30.6833528Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"SDA9U\"}, {\"Name\": \"env_seqNum\", \"Value\": \"41554400\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR521\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add application.\", \"Id\": \"689aaff0-b34f-4077-9244-0563b9f9c03b\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -13403,7 +13403,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355761900Z", + "ingested": "2021-06-09T12:50:10.080615300Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:36:30\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"AppId\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"Name\": \"AvailableToOtherTenants\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n false\\r\\n]\"}, {\"NewValue\": \"[\\r\\n \\\"siem2\\\"\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"DisplayName\"}, {\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"484659af-7387-4b77-b889-c4d2a8060004\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:36:30.6833528Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"SDA9U\"}, {\"Name\": \"env_seqNum\", \"Value\": \"41554400\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR521\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add application.\", \"Id\": \"689aaff0-b34f-4077-9244-0563b9f9c03b\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -13604,7 +13604,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355765100Z", + "ingested": "2021-06-09T12:50:10.080618700Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:36:30\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"AppId\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"NewValue\": \"[\\r\\n false\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"AvailableToOtherTenants\"}, {\"Name\": \"DisplayName\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"siem2\\\"\\r\\n]\"}, {\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"484659af-7387-4b77-b889-c4d2a8060004\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:36:30.6833528Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"SDA9U\"}, {\"Name\": \"env_seqNum\", \"Value\": \"41554400\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR521\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add application.\", \"Id\": \"689aaff0-b34f-4077-9244-0563b9f9c03b\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -13803,7 +13803,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355768400Z", + "ingested": "2021-06-09T12:50:10.080622100Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:36:30\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}, {\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}], \"ObjectId\": \"asr@testsiem.onmicrosoft.com\", \"ModifiedProperties\": [{\"Name\": \"Application.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"Application.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem2\"}, {\"Name\": \"Application.AppId\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"targetPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"Application.ObjectID\\\",\\\"Application.DisplayName\\\",\\\"Application.AppId\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"484659af-7387-4b77-b889-c4d2a8060004\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"33cdc459-1335-4d6c-b773-f5eef4df7793\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"Application\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:36:30.7383513Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"SDA9U\"}, {\"Name\": \"env_seqNum\", \"Value\": \"41554439\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR521\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add owner to application.\", \"Id\": \"ccbe264f-f6bc-42bd-b5b6-2893ce2f465f\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -14024,7 +14024,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355771600Z", + "ingested": "2021-06-09T12:50:10.080625500Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:36:31\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"AccountEnabled\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n true\\r\\n]\"}, {\"Name\": \"AppPrincipalId\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"Name\": \"DisplayName\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"siem2\\\"\\r\\n]\"}, {\"Name\": \"ServicePrincipalName\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"Name\": \"Credential\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"381d015d-6660-4dce-af99-4cd8c3b61d4d\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:36:31.1327910Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"NNJOH\"}, {\"Name\": \"env_seqNum\", \"Value\": \"39121960\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add service principal.\", \"Id\": \"48403af8-b712-4e63-a999-686b631240ac\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -14242,7 +14242,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355775100Z", + "ingested": "2021-06-09T12:50:10.080628700Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:36:31\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"AccountEnabled\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n true\\r\\n]\"}, {\"Name\": \"AppPrincipalId\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"NewValue\": \"[\\r\\n \\\"siem2\\\"\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"DisplayName\"}, {\"Name\": \"ServicePrincipalName\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"NewValue\": \"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"Credential\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"381d015d-6660-4dce-af99-4cd8c3b61d4d\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:36:31.1327910Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"NNJOH\"}, {\"Name\": \"env_seqNum\", \"Value\": \"39121960\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add service principal.\", \"Id\": \"48403af8-b712-4e63-a999-686b631240ac\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -14460,7 +14460,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355778400Z", + "ingested": "2021-06-09T12:50:10.080631600Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:36:31\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"NewValue\": \"[\\r\\n true\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"AccountEnabled\"}, {\"Name\": \"AppPrincipalId\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"Name\": \"DisplayName\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"siem2\\\"\\r\\n]\"}, {\"Name\": \"ServicePrincipalName\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"Name\": \"Credential\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"381d015d-6660-4dce-af99-4cd8c3b61d4d\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:36:31.1327910Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"NNJOH\"}, {\"Name\": \"env_seqNum\", \"Value\": \"39121960\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add service principal.\", \"Id\": \"48403af8-b712-4e63-a999-686b631240ac\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -14678,7 +14678,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355781600Z", + "ingested": "2021-06-09T12:50:10.080634900Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:36:31\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"NewValue\": \"[\\r\\n true\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"AccountEnabled\"}, {\"Name\": \"AppPrincipalId\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\"}, {\"NewValue\": \"[\\r\\n \\\"siem2\\\"\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"DisplayName\"}, {\"NewValue\": \"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"ServicePrincipalName\"}, {\"Name\": \"Credential\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"381d015d-6660-4dce-af99-4cd8c3b61d4d\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:36:31.1327910Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"NNJOH\"}, {\"Name\": \"env_seqNum\", \"Value\": \"39121960\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR568\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add service principal.\", \"Id\": \"48403af8-b712-4e63-a999-686b631240ac\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -14858,7 +14858,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355785Z", + "ingested": "2021-06-09T12:50:10.080638200Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:42:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[]\"}, {\"Name\": \"correlationId\", \"Value\": \"531446ed-abd2-468f-96a8-a4dcc7b05168\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:42:45.0442303Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"VYXPT\"}, {\"Name\": \"env_seqNum\", \"Value\": \"45826392\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR559\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"aaa361ac-50e8-43f4-9aaf-c19c09e3e3bc\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -15047,7 +15047,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355788100Z", + "ingested": "2021-06-09T12:50:10.080641600Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:42:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"KeyDescription\", \"OldValue\": \"[]\", \"NewValue\": \"[\\r\\n \\\"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\\\"\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"KeyDescription\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"KeyDescription\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"531446ed-abd2-468f-96a8-a4dcc7b05168\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:42:45.0442303Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"VYXPT\"}, {\"Name\": \"env_seqNum\", \"Value\": \"45826385\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR559\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application \\u2013 Certificates and secrets management \", \"Id\": \"20a82fa1-625b-491a-a3e8-54d779a9b17e\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -15236,7 +15236,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355791400Z", + "ingested": "2021-06-09T12:50:10.080644700Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:42:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"NewValue\": \"[\\r\\n \\\"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\\\"\\r\\n]\", \"OldValue\": \"[]\", \"Name\": \"KeyDescription\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"KeyDescription\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"KeyDescription\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"531446ed-abd2-468f-96a8-a4dcc7b05168\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:42:45.0442303Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"VYXPT\"}, {\"Name\": \"env_seqNum\", \"Value\": \"45826385\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR559\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application \\u2013 Certificates and secrets management \", \"Id\": \"20a82fa1-625b-491a-a3e8-54d779a9b17e\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -15434,7 +15434,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355794700Z", + "ingested": "2021-06-09T12:50:10.080648200Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:42:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"531446ed-abd2-468f-96a8-a4dcc7b05168\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:42:45.1042022Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"VYXPT\"}, {\"Name\": \"env_seqNum\", \"Value\": \"45826464\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR559\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"15adbe69-7974-41ec-8341-208456600ad3\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -15632,7 +15632,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355798500Z", + "ingested": "2021-06-09T12:50:10.080651500Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:42:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"531446ed-abd2-468f-96a8-a4dcc7b05168\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:42:45.1042022Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"VYXPT\"}, {\"Name\": \"env_seqNum\", \"Value\": \"45826464\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR559\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"15adbe69-7974-41ec-8341-208456600ad3\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -15830,7 +15830,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355801800Z", + "ingested": "2021-06-09T12:50:10.080654600Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:42:45\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"NewValue\": \"\", \"OldValue\": \"\", \"Name\": \"Included Updated Properties\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"531446ed-abd2-468f-96a8-a4dcc7b05168\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:42:45.1042022Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"VYXPT\"}, {\"Name\": \"env_seqNum\", \"Value\": \"45826464\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR559\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"15adbe69-7974-41ec-8341-208456600ad3\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -16019,7 +16019,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355804800Z", + "ingested": "2021-06-09T12:50:10.080657800Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:37\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:37.2045249Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34620418\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"d23b201c-5436-4ecc-a789-18d3f00ea76c\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -16208,7 +16208,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355808300Z", + "ingested": "2021-06-09T12:50:10.080661100Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:37\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"Name\": \"RequiredResourceAccess\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"}, {\"NewValue\": \"RequiredResourceAccess\", \"OldValue\": \"\", \"Name\": \"Included Updated Properties\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:37.2045249Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34620418\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"d23b201c-5436-4ecc-a789-18d3f00ea76c\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -16397,7 +16397,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355811500Z", + "ingested": "2021-06-09T12:50:10.080664600Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:37\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Type\": 2, \"ID\": \"Application\"}, {\"Type\": 1, \"ID\": \"siem2\"}], \"ObjectId\": \"Not Available\", \"ModifiedProperties\": [{\"NewValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"OldValue\": \"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\", \"Name\": \"RequiredResourceAccess\"}, {\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"RequiredResourceAccess\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"33cdc459-1335-4d6c-b773-f5eef4df7793\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Application\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"RequiredResourceAccess\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:37.2045249Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34620418\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update application.\", \"Id\": \"d23b201c-5436-4ecc-a789-18d3f00ea76c\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -16595,7 +16595,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355814900Z", + "ingested": "2021-06-09T12:50:10.080667800Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:37\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:37.2595378Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34620448\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -16793,7 +16793,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355818100Z", + "ingested": "2021-06-09T12:50:10.080671500Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:37\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"Included Updated Properties\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:37.2595378Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34620448\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -16991,7 +16991,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355821800Z", + "ingested": "2021-06-09T12:50:10.080674800Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:37\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"NewValue\": \"\", \"OldValue\": \"\", \"Name\": \"Included Updated Properties\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:37.2595378Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34620448\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Update service principal.\", \"Id\": \"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -17202,7 +17202,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355825Z", + "ingested": "2021-06-09T12:50:10.080678100Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:41\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem2\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:41.8071361Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622707\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"256e3859-87ca-4b23-b2c0-45a26ccd7925\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -17413,7 +17413,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355828200Z", + "ingested": "2021-06-09T12:50:10.080682Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:41\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem2\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:41.8821342Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622751\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -17624,7 +17624,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355832900Z", + "ingested": "2021-06-09T12:50:10.080685900Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:41\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem2\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:41.9571526Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622781\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"a4a12952-3467-4d48-9950-48b4b9ac87b3\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -17835,7 +17835,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355836100Z", + "ingested": "2021-06-09T12:50:10.080689400Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:41\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem2\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:41.8821342Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622751\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -18046,7 +18046,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355839600Z", + "ingested": "2021-06-09T12:50:10.080693800Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:41\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem2\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:41.9571526Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622781\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"a4a12952-3467-4d48-9950-48b4b9ac87b3\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -18257,7 +18257,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355842700Z", + "ingested": "2021-06-09T12:50:10.080697Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:41\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem2\"}, {\"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.AppId\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:41.8821342Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622751\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -18468,7 +18468,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355846Z", + "ingested": "2021-06-09T12:50:10.080700200Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:41\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"siem2\"}, {\"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.AppId\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:41.8071361Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622707\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"256e3859-87ca-4b23-b2c0-45a26ccd7925\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -18679,7 +18679,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355849200Z", + "ingested": "2021-06-09T12:50:10.080703400Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:41\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Office 365 Management APIs\"}, {\"Type\": 2, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\"}, {\"Type\": 4, \"ID\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}], \"ObjectId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"NewValue\": \"siem2\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"NewValue\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"efe101d0-818a-4f19-b2f8-53186f8218ad\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"}, {\"Name\": \"targetName\", \"Value\": \"Office 365 Management APIs\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:41.9571526Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622781\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment to service principal.\", \"Id\": \"a4a12952-3467-4d48-9950-48b4b9ac87b3\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -18890,7 +18890,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355852600Z", + "ingested": "2021-06-09T12:50:10.080707Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:42\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:42.0571467Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622817\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add OAuth2PermissionGrant.\", \"Id\": \"db3ce560-1c2f-4c85-b305-55ad6476250f\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -19101,7 +19101,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355855900Z", + "ingested": "2021-06-09T12:50:10.080710100Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:42\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"Name\": \"ServicePrincipal.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"NewValue\": \"\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.DisplayName\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.Name\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:42.0571467Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622817\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add OAuth2PermissionGrant.\", \"Id\": \"db3ce560-1c2f-4c85-b305-55ad6476250f\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -19312,7 +19312,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355859200Z", + "ingested": "2021-06-09T12:50:10.080713300Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:42\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"Microsoft Graph\"}, {\"Type\": 2, \"ID\": \"00000003-0000-0000-c000-000000000000\"}, {\"Type\": 4, \"ID\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ObjectId\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\", \"ModifiedProperties\": [{\"NewValue\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.ObjectID\"}, {\"Name\": \"ServicePrincipal.DisplayName\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ServicePrincipal.AppId\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"NewValue\": \"\", \"OldValue\": \"\", \"Name\": \"ServicePrincipal.Name\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"}, {\"Name\": \"targetName\", \"Value\": \"Microsoft Graph\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:42.0571467Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622817\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add OAuth2PermissionGrant.\", \"Id\": \"db3ce560-1c2f-4c85-b305-55ad6476250f\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -19526,7 +19526,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355862400Z", + "ingested": "2021-06-09T12:50:10.080716400Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:42\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"ConsentContext.IsAdminConsent\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"Name\": \"ConsentContext.IsAppOnly\", \"OldValue\": \"\", \"NewValue\": \"False\"}, {\"Name\": \"ConsentContext.OnBehalfOfAll\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"NewValue\": \"\", \"OldValue\": \"\", \"Name\": \"ConsentContext.Tags\"}, {\"Name\": \"ConsentAction.Permissions\", \"OldValue\": \"\", \"NewValue\": \"[] =\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:42.1421458Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622848\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Consent to application.\", \"Id\": \"24524679-8930-4afd-83b8-2dc70aa0a016\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -19740,7 +19740,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355865600Z", + "ingested": "2021-06-09T12:50:10.080719600Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:42\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"ConsentContext.IsAdminConsent\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"NewValue\": \"False\", \"OldValue\": \"\", \"Name\": \"ConsentContext.IsAppOnly\"}, {\"Name\": \"ConsentContext.OnBehalfOfAll\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"Name\": \"ConsentContext.Tags\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ConsentAction.Permissions\", \"OldValue\": \"\", \"NewValue\": \"[] =\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:42.1421458Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622848\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Consent to application.\", \"Id\": \"24524679-8930-4afd-83b8-2dc70aa0a016\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -19954,7 +19954,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355869Z", + "ingested": "2021-06-09T12:50:10.080722800Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:42\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"ConsentContext.IsAdminConsent\", \"OldValue\": \"\", \"NewValue\": \"True\"}, {\"NewValue\": \"False\", \"OldValue\": \"\", \"Name\": \"ConsentContext.IsAppOnly\"}, {\"NewValue\": \"True\", \"OldValue\": \"\", \"Name\": \"ConsentContext.OnBehalfOfAll\"}, {\"Name\": \"ConsentContext.Tags\", \"OldValue\": \"\", \"NewValue\": \"\"}, {\"Name\": \"ConsentAction.Permissions\", \"OldValue\": \"\", \"NewValue\": \"[] =\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"ApplicationManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"ServicePrincipal\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:42.1421458Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622848\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Consent to application.\", \"Id\": \"24524679-8930-4afd-83b8-2dc70aa0a016\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -20161,7 +20161,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355872100Z", + "ingested": "2021-06-09T12:50:10.080726Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:42\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"User.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"User.UPN\", \"OldValue\": \"\", \"NewValue\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"User.PUID\", \"OldValue\": \"\", \"NewValue\": \"1003200096971F55\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"UserManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"User\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:42.1421458Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622843\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment grant to user.\", \"Id\": \"fb84e87b-9a45-49bf-91d8-30f3880ca99d\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -20368,7 +20368,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355875300Z", + "ingested": "2021-06-09T12:50:10.080729200Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:42\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"User.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"User.UPN\", \"OldValue\": \"\", \"NewValue\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"User.PUID\", \"OldValue\": \"\", \"NewValue\": \"1003200096971F55\"}, {\"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"OldValue\": \"\", \"Name\": \"TargetId.ServicePrincipalNames\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"UserManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"User\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:42.1421458Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622843\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment grant to user.\", \"Id\": \"fb84e87b-9a45-49bf-91d8-30f3880ca99d\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -20575,7 +20575,7 @@ "ip": "83.57.233.151" }, "event": { - "ingested": "2021-06-09T12:47:54.355878600Z", + "ingested": "2021-06-09T12:50:10.080732300Z", "original": "{\"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-11T16:45:42\", \"Actor\": [{\"Type\": 5, \"ID\": \"asr@testsiem.onmicrosoft.com\"}, {\"Type\": 3, \"ID\": \"1003200096971F55\"}, {\"Type\": 2, \"ID\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Type\": 2, \"ID\": \"User_755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Type\": 2, \"ID\": \"User\"}], \"Version\": 1, \"ActorContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"RecordType\": 8, \"ActorIpAddress\": \"83.57.233.151\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"UserType\": 0, \"UserKey\": \"1003200096971F55@testsiem.onmicrosoft.com\", \"ClientIP\": \"83.57.233.151\", \"SupportTicketId\": \"\", \"Workload\": \"AzureActiveDirectory\", \"Target\": [{\"Type\": 2, \"ID\": \"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Type\": 2, \"ID\": \"ServicePrincipal\"}, {\"Type\": 1, \"ID\": \"siem2\"}, {\"Type\": 2, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Type\": 4, \"ID\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ObjectId\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\", \"ModifiedProperties\": [{\"Name\": \"User.ObjectID\", \"OldValue\": \"\", \"NewValue\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"NewValue\": \"asr@testsiem.onmicrosoft.com\", \"OldValue\": \"\", \"Name\": \"User.UPN\"}, {\"Name\": \"User.PUID\", \"OldValue\": \"\", \"NewValue\": \"1003200096971F55\"}, {\"Name\": \"TargetId.ServicePrincipalNames\", \"OldValue\": \"\", \"NewValue\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}], \"ResultStatus\": \"Success\", \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"UserManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"actorContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"actorObjectId\", \"Value\": \"755e500a-6c03-46b0-b53b-282f23374e3b\"}, {\"Name\": \"actorObjectClass\", \"Value\": \"User\"}, {\"Name\": \"actorUPN\", \"Value\": \"asr@testsiem.onmicrosoft.com\"}, {\"Name\": \"actorAppID\", \"Value\": \"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"}, {\"Name\": \"actorPUID\", \"Value\": \"1003200096971F55\"}, {\"Name\": \"teamName\", \"Value\": \"MSODS.\"}, {\"Name\": \"targetContextId\", \"Value\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"}, {\"Name\": \"targetObjectId\", \"Value\": \"fb91e9f0-9485-4a68-89e9-a164d20ae855\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"User\"}, {\"Name\": \"targetSPN\", \"Value\": \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}, {\"Name\": \"targetName\", \"Value\": \"siem2\"}, {\"Name\": \"targetIncludedUpdatedProperties\", \"Value\": \"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"}, {\"Name\": \"correlationId\", \"Value\": \"1e80f57e-764e-4c42-bead-7ccf998fe780\"}, {\"Name\": \"version\", \"Value\": \"2\"}, {\"Name\": \"additionalTargets\", \"Value\": \"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"}, {\"Name\": \"additionalDetails\", \"Value\": \"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"}, {\"Name\": \"env_ver\", \"Value\": \"2.1\"}, {\"Name\": \"env_name\", \"Value\": \"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"}, {\"Name\": \"env_time\", \"Value\": \"2020-02-11T16:45:42.1421458Z\"}, {\"Name\": \"env_epoch\", \"Value\": \"748B6\"}, {\"Name\": \"env_seqNum\", \"Value\": \"34622843\"}, {\"Name\": \"env_popSample\", \"Value\": \"0\"}, {\"Name\": \"env_iKey\", \"Value\": \"ikey\"}, {\"Name\": \"env_flags\", \"Value\": \"257\"}, {\"Name\": \"env_cv\", \"Value\": \"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"}, {\"Name\": \"env_os\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_osVer\", \"Value\": \"\u003cnull\u003e\"}, {\"Name\": \"env_appId\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_appVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_ver\", \"Value\": \"1.0\"}, {\"Name\": \"env_cloud_name\", \"Value\": \"MSO-AM5R\"}, {\"Name\": \"env_cloud_role\", \"Value\": \"restdirectoryservice\"}, {\"Name\": \"env_cloud_roleVer\", \"Value\": \"1.0.11737.0\"}, {\"Name\": \"env_cloud_roleInstance\", \"Value\": \"AM5RRDSR571\"}, {\"Name\": \"env_cloud_environment\", \"Value\": \"PROD\"}, {\"Name\": \"env_cloud_deploymentUnit\", \"Value\": \"R5\"}], \"TargetContextId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AzureActiveDirectoryEventType\": 1, \"Operation\": \"Add app role assignment grant to user.\", \"Id\": \"fb84e87b-9a45-49bf-91d8-30f3880ca99d\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-common-config.yml b/packages/o365/data_stream/audit/_dev/test/pipeline/test-common-config.yml index 11d3497e928..cebdd1f4aa6 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-common-config.yml +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-common-config.yml @@ -6,4 +6,4 @@ fields: "tenants": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd": "mytenant.onmicrosoft.com" tags: - - preserve_original_event \ No newline at end of file + - preserve_original_event diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api.log-expected.json index 57579f991ed..79c4a940af6 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api.log-expected.json @@ -25,7 +25,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.158030500Z", + "ingested": "2021-06-09T12:50:17.935344100Z", "original": "{\"Workload\": \"SecurityComplianceCenter\", \"DataType\": \"DataInsightsSubscription\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:38\", \"UserId\": \"Service Account\", \"UserType\": 5, \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\", \"RecordType\": 52}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -72,7 +72,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.158066200Z", + "ingested": "2021-06-09T12:50:17.935358800Z", "original": "{\"Workload\": \"SecurityComplianceCenter\", \"DataType\": \"DataInsightsSubscription\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:38\", \"UserId\": \"Service Account\", \"UserType\": 5, \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"0ff67168-de8c-45fb-3f7d-08d7b003ebdc\", \"RecordType\": 52}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -119,7 +119,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.158073400Z", + "ingested": "2021-06-09T12:50:17.935362500Z", "original": "{\"Workload\": \"SecurityComplianceCenter\", \"RecordType\": 52, \"DataType\": \"DataInsightsSubscription\", \"CreationTime\": \"2020-02-10T15:13:38\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"Service Account\", \"UserType\": 5, \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -166,7 +166,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.158077500Z", + "ingested": "2021-06-09T12:50:17.935365700Z", "original": "{\"Workload\": \"SecurityComplianceCenter\", \"RecordType\": 52, \"DataType\": \"DataInsightsSubscription\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:53:26\", \"UserId\": \"Service Account\", \"UserType\": 5, \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"3b492d08-23a8-4e65-75ea-08d7afa9c9a2\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -213,7 +213,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.158080800Z", + "ingested": "2021-06-09T12:50:17.935368300Z", "original": "{\"Workload\": \"SecurityComplianceCenter\", \"RecordType\": 52, \"DataType\": \"DataInsightsSubscription\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:38\", \"UserId\": \"Service Account\", \"UserType\": 5, \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"0ff67168-de8c-45fb-3f7d-08d7b003ebdc\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -260,7 +260,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.158083800Z", + "ingested": "2021-06-09T12:50:17.935370900Z", "original": "{\"Workload\": \"SecurityComplianceCenter\", \"RecordType\": 52, \"UserType\": 5, \"DataType\": \"DataInsightsSubscription\", \"CreationTime\": \"2020-02-12T10:53:26\", \"UserId\": \"Service Account\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"3b492d08-23a8-4e65-75ea-08d7afa9c9a2\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -307,7 +307,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.158086900Z", + "ingested": "2021-06-09T12:50:17.935373400Z", "original": "{\"Workload\": \"SecurityComplianceCenter\", \"RecordType\": 52, \"UserType\": 5, \"DataType\": \"DataInsightsSubscription\", \"UserId\": \"Service Account\", \"CreationTime\": \"2020-02-10T15:13:38\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -354,7 +354,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.158089800Z", + "ingested": "2021-06-09T12:50:17.935376100Z", "original": "{\"Workload\": \"SecurityComplianceCenter\", \"RecordType\": 52, \"UserType\": 5, \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T10:53:26\", \"UserId\": \"Service Account\", \"DataType\": \"DataInsightsSubscription\", \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"3b492d08-23a8-4e65-75ea-08d7afa9c9a2\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -401,7 +401,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.158092700Z", + "ingested": "2021-06-09T12:50:17.935378700Z", "original": "{\"Workload\": \"SecurityComplianceCenter\", \"RecordType\": 52, \"UserType\": 5, \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"Service Account\", \"CreationTime\": \"2020-02-12T21:38:38\", \"DataType\": \"DataInsightsSubscription\", \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"0ff67168-de8c-45fb-3f7d-08d7b003ebdc\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange.log-expected.json index 6459ed64f26..052a31f9086 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange.log-expected.json @@ -151,7 +151,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-09T12:48:02.317121300Z", + "ingested": "2021-06-09T12:50:18.096211300Z", "original": "{\"Workload\":\"Exchange\",\"SensitiveInfoDetectionIsIncluded\":false,\"ObjectId\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"CreationTime\":\"2020-02-24T20:11:15\",\"UserId\":\"DlpAgent\",\"UserType\":4,\"Version\":1,\"PolicyDetails\":[{\"Rules\":[{\"Severity\":\"High\",\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"RuleName\":\"High volume of content detected test\",\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"RuleMode\":\"Enable\"},{\"Severity\":\"Medium\",\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"RuleName\":\"Mid volume of content detected test\",\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"RuleMode\":\"Enable\"}],\"PolicyName\":\"test\",\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\"}],\"ExchangeMetaData\":{\"From\":\"asr@testsiem2.onmicrosoft.com\",\"CC\":[\"asr@example.net\"],\"BCC\":[],\"To\":[\"asr@example.org\"],\"FileSize\":13405,\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\",\"MessageID\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\"},\"UserKey\":\"1153801116545789462\",\"Operation\":\"DlpRuleMatch\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"RecordType\":13}", "code": "ComplianceDLPExchange", "provider": "Exchange", @@ -323,7 +323,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-09T12:48:02.317137400Z", + "ingested": "2021-06-09T12:50:18.096226200Z", "original": "{\"Workload\":\"Exchange\",\"SensitiveInfoDetectionIsIncluded\":false,\"ObjectId\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"CreationTime\":\"2020-02-24T20:11:15\",\"UserId\":\"DlpAgent\",\"UserType\":4,\"Version\":1,\"PolicyDetails\":[{\"Rules\":[{\"Severity\":\"High\",\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"RuleName\":\"High volume of content detected test\",\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"RuleMode\":\"Enable\"},{\"Severity\":\"Medium\",\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"RuleName\":\"Mid volume of content detected test\",\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"RuleMode\":\"Enable\"}],\"PolicyName\":\"test\",\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\"}],\"ExchangeMetaData\":{\"From\":\"asr@testsiem2.onmicrosoft.com\",\"CC\":[\"asr@example.net\"],\"BCC\":[],\"To\":[\"asr@example.org\"],\"FileSize\":13405,\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\",\"MessageID\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\"},\"UserKey\":\"1153801116545789462\",\"Operation\":\"DlpRuleUndo\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"RecordType\":13}", "code": "ComplianceDLPExchange", "provider": "Exchange", @@ -498,7 +498,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-09T12:48:02.317141300Z", + "ingested": "2021-06-09T12:50:18.096229700Z", "original": "{\"Workload\":\"Exchange\",\"SensitiveInfoDetectionIsIncluded\":false,\"ObjectId\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"CreationTime\":\"2020-02-24T20:11:15\",\"UserId\":\"DlpAgent\",\"UserType\":4,\"Version\":1,\"ExceptionInfo\":\"{ \\\"Justification\\\": \\\"I really need to share those files\\\" }\",\"PolicyDetails\":[{\"Rules\":[{\"Severity\":\"High\",\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"RuleName\":\"High volume of content detected test\",\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"RuleMode\":\"Enable\"},{\"Severity\":\"Medium\",\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"RuleName\":\"Mid volume of content detected test\",\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"RuleMode\":\"Enable\"}],\"PolicyName\":\"test\",\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\"}],\"ExchangeMetaData\":{\"From\":\"asr@testsiem2.onmicrosoft.com\",\"CC\":[\"asr@example.net\"],\"BCC\":[],\"To\":[\"asr@example.org\"],\"FileSize\":13405,\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\",\"MessageID\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\"},\"UserKey\":\"1153801116545789462\",\"Operation\":\"DlpRuleMatch\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"RecordType\":13}", "code": "ComplianceDLPExchange", "provider": "Exchange", @@ -673,7 +673,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-09T12:48:02.317144400Z", + "ingested": "2021-06-09T12:50:18.096232800Z", "original": "{\"Workload\":\"Exchange\",\"SensitiveInfoDetectionIsIncluded\":false,\"ObjectId\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"CreationTime\":\"2020-02-24T20:11:15\",\"UserId\":\"DlpAgent\",\"UserType\":4,\"Version\":1,\"ExceptionInfo\":{ \"FalsePositive\": true },\"PolicyDetails\":[{\"Rules\":[{\"Severity\":\"High\",\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"RuleName\":\"High volume of content detected test\",\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"RuleMode\":\"Enable\"},{\"Severity\":\"Medium\",\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"RuleName\":\"Mid volume of content detected test\",\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"RuleMode\":\"Enable\"}],\"PolicyName\":\"test\",\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\"}],\"ExchangeMetaData\":{\"From\":\"asr@testsiem2.onmicrosoft.com\",\"CC\":[\"asr@example.net\"],\"BCC\":[],\"To\":[\"asr@example.org\"],\"FileSize\":13405,\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\",\"MessageID\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\"},\"UserKey\":\"1153801116545789462\",\"Operation\":\"DlpRuleMatch\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"RecordType\":13}", "code": "ComplianceDLPExchange", "provider": "Exchange", @@ -800,7 +800,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T12:48:02.317147300Z", + "ingested": "2021-06-09T12:50:18.096235800Z", "original": "{\"Workload\":\"Exchange\",\"SensitiveInfoDetectionIsIncluded\":false,\"ObjectId\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"UserId\":\"DlpAgent\",\"CreationTime\":\"2020-02-24T20:11:15\",\"UserType\":4,\"Version\":1,\"PolicyDetails\":[{\"Rules\":[{\"Severity\":\"Low\",\"RuleId\":\"8398c03a-a00d-42bb-8f80-ead0ad04e1df\",\"RuleName\":\"Low volume of content detected test\",\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"RuleMode\":\"Enable\"}],\"PolicyName\":\"test\",\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\"}],\"ExchangeMetaData\":{\"From\":\"asr@testsiem2.onmicrosoft.com\",\"CC\":[\"asr@example.net\"],\"BCC\":[],\"To\":[\"asr@example.org\"],\"FileSize\":13310,\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\",\"MessageID\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\"},\"UserKey\":\"1153801116545789462\",\"Operation\":\"DlpRuleMatch\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"Id\":\"a42123a9-1c07-4dde-9be6-ac71cb9fd16b\",\"RecordType\":13}", "code": "ComplianceDLPExchange", "provider": "Exchange", @@ -918,7 +918,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T12:48:02.317150300Z", + "ingested": "2021-06-09T12:50:18.096238800Z", "original": "{\"Workload\":\"Exchange\",\"SensitiveInfoDetectionIsIncluded\":false,\"ObjectId\":\"\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"UserId\":\"DlpAgent\",\"CreationTime\":\"2020-02-24T20:11:15\",\"UserType\":4,\"Version\":1,\"PolicyDetails\":[{\"Rules\":[{\"Severity\":\"Low\",\"RuleId\":\"8398c03a-a00d-42bb-8f80-ead0ad04e1df\",\"RuleName\":\"Low volume of content detected test\",\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\"},{\"Count\":1,\"UniqueCount\":1,\"Confidence\":75,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\"}]},\"RuleMode\":\"Enable\"}],\"PolicyName\":\"test\",\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\"}],\"SharePointMetaData\":{\"From\":\"alice@testsiem2.onmicrosoft.com\",\"itemCreationTime\":\"2020-02-20T11:23:45\",\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\",\"FileName\":\"Company-Internal-Financial.docx\",\"FileOwner\":\"alice@testsiem2.onmicrosoft.com\",\"FilePathUrl\":\"https://example.net/testsiem2.onmicrosoft.com/sharepoint\",\"LastModifiedTime\":\"2020-02-24T12:13:14Z\"},\"UserKey\":\"1153801116545789462\",\"Operation\":\"DlpRuleMatch\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"Id\":\"a42123a9-1c07-4dde-9be6-ac71cb9fd16b\",\"RecordType\":13}", "code": "ComplianceDLPExchange", "provider": "Exchange", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint.log-expected.json index e9542be5bcd..8ba8e184ffc 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint.log-expected.json @@ -84,7 +84,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T12:48:02.532147300Z", + "ingested": "2021-06-09T12:50:18.312998100Z", "original": "{\"Workload\": \"OneDrive\", \"SensitiveInfoDetectionIsIncluded\": false, \"ObjectId\": \"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\", \"OrganizationId\": \"0e1dddce-163e-4b0b-9e33-87ba56ac4655\", \"UserId\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"CreationTime\": \"2020-02-25T16:20:15\", \"UserType\": 4, \"Version\": 1, \"PolicyDetails\": [{\"Rules\": [{\"Severity\": \"Low\", \"RuleId\": \"c5981414-9f1f-4275-a2df-2fbfb1d03795\", \"ConditionsMatched\": {\"SensitiveInformation\": [{\"Count\": 1, \"Confidence\": 75, \"SensitiveType\": \"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]}, \"Actions\": [\"NotifyUser\"], \"RuleName\": \"Low volume of content detected U.S. Financial\", \"ActionParameters\": [], \"RuleMode\": \"Enable\"}], \"PolicyName\": \"U.S. Financial Data\", \"PolicyId\": \"a15b4790-085f-43c1-90ad-853b16cedeec\"}], \"SharePointMetaData\": {\"From\": \"ASR@TESTSIEM2.ONMICROSOFT.COM\", \"FilePathUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx\", \"ItemLastModifiedTime\": \"2020-02-25T16:19:43\", \"ItemCreationTime\": \"2020-02-25T15:22:49\", \"FileName\": \"Customers Financial Data.docx\", \"SiteCollectionGuid\": \"eae3edad-a192-43a9-b317-98d7ea5e3939\", \"UniqueID\": \"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\", \"FileOwner\": \"Alan Smithee\", \"SiteCollectionUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\"}, \"UserKey\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"Operation\": \"DLPRuleMatch\", \"IncidentId\": \"3066c3c5-eb56-dd03-b000-08d7ba115afd\", \"Id\": \"a21f13b9-22b6-405b-bf9e-a07ad8d456da\", \"RecordType\": 11}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", @@ -198,7 +198,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-09T12:48:02.532160Z", + "ingested": "2021-06-09T12:50:18.313014200Z", "original": "{\"Workload\": \"OneDrive\", \"SensitiveInfoDetectionIsIncluded\": false, \"ObjectId\": \"856386d5-c9cd-46e9-b53b-fd01ed590b68\", \"OrganizationId\": \"0e1dddce-163e-4b0b-9e33-87ba56ac4655\", \"UserId\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"CreationTime\": \"2020-02-25T16:23:39\", \"UserType\": 4, \"Version\": 1, \"PolicyDetails\": [{\"Rules\": [{\"Severity\": \"High\", \"RuleId\": \"7503b92a-67c2-494b-8a46-57ef0d738886\", \"ConditionsMatched\": {\"SensitiveInformation\": [{\"Count\": 12, \"Confidence\": 85, \"SensitiveType\": \"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"}, {\"Count\": 1, \"Confidence\": 75, \"SensitiveType\": \"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]}, \"Actions\": [\"BlockAccess\", \"NotifyUser\", \"GenerateIncidentReport\"], \"RuleName\": \"High volume of content detected U.S. Financial\", \"ActionParameters\": [\"GenerateIncidentReport:SiteAdmin\"], \"RuleMode\": \"Enable\"}], \"PolicyName\": \"U.S. Financial Data\", \"PolicyId\": \"a15b4790-085f-43c1-90ad-853b16cedeec\"}], \"SharePointMetaData\": {\"From\": \"ASR@TESTSIEM2.ONMICROSOFT.COM\", \"FilePathUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx\", \"ItemLastModifiedTime\": \"2020-02-25T16:21:44\", \"SiteCollectionUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\", \"ItemCreationTime\": \"2020-02-25T16:21:50\", \"FileName\": \"Customers Financial Data Copy.docx\", \"SiteCollectionGuid\": \"eae3edad-a192-43a9-b317-98d7ea5e3939\", \"UniqueID\": \"856386d5-c9cd-46e9-b53b-fd01ed590b68\", \"FileOwner\": \"Alan Smithee\"}, \"UserKey\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"Operation\": \"DLPRuleMatch\", \"IncidentId\": \"eeeb7b44-fc69-c19f-b000-08d7ba115afd\", \"Id\": \"eb8259c8-d2c2-449d-bd35-5c8a033eb629\", \"RecordType\": 11}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", @@ -308,7 +308,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-09T12:48:02.532163800Z", + "ingested": "2021-06-09T12:50:18.313017900Z", "original": "{\"Workload\": \"OneDrive\", \"RecordType\": 11, \"ObjectId\": \"856386d5-c9cd-46e9-b53b-fd01ed590b68\", \"OrganizationId\": \"0e1dddce-163e-4b0b-9e33-87ba56ac4655\", \"UserId\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"CreationTime\": \"2020-02-25T16:23:39\", \"UserType\": 4, \"Version\": 1, \"PolicyDetails\": [{\"Rules\": [{\"Severity\": \"Low\", \"RuleId\": \"c5981414-9f1f-4275-a2df-2fbfb1d03795\", \"ConditionsMatched\": {\"SensitiveInformation\": [{\"Count\": 12, \"Confidence\": 85, \"SensitiveType\": \"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"}, {\"Count\": 1, \"Confidence\": 75, \"SensitiveType\": \"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]}, \"Actions\": [\"NotifyUser\"], \"RuleName\": \"Low volume of content detected U.S. Financial\", \"ActionParameters\": [], \"RuleMode\": \"Enable\"}], \"PolicyName\": \"U.S. Financial Data\", \"PolicyId\": \"a15b4790-085f-43c1-90ad-853b16cedeec\"}], \"SharePointMetaData\": {\"From\": \"ASR@TESTSIEM2.ONMICROSOFT.COM\", \"FilePathUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx\", \"ItemLastModifiedTime\": \"2020-02-25T16:21:44\", \"ItemCreationTime\": \"2020-02-25T16:21:50\", \"FileName\": \"Customers Financial Data Copy.docx\", \"SiteCollectionGuid\": \"eae3edad-a192-43a9-b317-98d7ea5e3939\", \"UniqueID\": \"856386d5-c9cd-46e9-b53b-fd01ed590b68\", \"FileOwner\": \"Alan Smithee\", \"SiteCollectionUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\"}, \"UserKey\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"Operation\": \"DLPRuleMatch\", \"IncidentId\": \"eeeb7b44-fc69-c19f-b000-08d7ba115afd\", \"Id\": \"50a90c83-7e15-4679-8778-d9dd30927e66\", \"SensitiveInfoDetectionIsIncluded\": false}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", @@ -422,7 +422,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-09T12:48:02.532166800Z", + "ingested": "2021-06-09T12:50:18.313020900Z", "original": "{\"Workload\": \"OneDrive\", \"RecordType\": 11, \"ObjectId\": \"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\", \"OrganizationId\": \"0e1dddce-163e-4b0b-9e33-87ba56ac4655\", \"CreationTime\": \"2020-02-25T16:22:22\", \"UserId\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"UserType\": 4, \"Version\": 1, \"PolicyDetails\": [{\"Rules\": [{\"Severity\": \"High\", \"RuleId\": \"7503b92a-67c2-494b-8a46-57ef0d738886\", \"ConditionsMatched\": {\"SensitiveInformation\": [{\"Count\": 12, \"Confidence\": 85, \"SensitiveType\": \"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"}, {\"Count\": 1, \"Confidence\": 75, \"SensitiveType\": \"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]}, \"Actions\": [\"BlockAccess\", \"NotifyUser\", \"GenerateIncidentReport\"], \"RuleName\": \"High volume of content detected U.S. Financial\", \"ActionParameters\": [\"GenerateIncidentReport:SiteAdmin\"], \"RuleMode\": \"Enable\"}], \"PolicyName\": \"U.S. Financial Data\", \"PolicyId\": \"a15b4790-085f-43c1-90ad-853b16cedeec\"}], \"SharePointMetaData\": {\"From\": \"ASR@TESTSIEM2.ONMICROSOFT.COM\", \"FilePathUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx\", \"ItemLastModifiedTime\": \"2020-02-25T16:21:44\", \"ItemCreationTime\": \"2020-02-25T15:22:49\", \"SiteCollectionUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\", \"SiteCollectionGuid\": \"eae3edad-a192-43a9-b317-98d7ea5e3939\", \"UniqueID\": \"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\", \"FileOwner\": \"Alan Smithee\", \"FileName\": \"Customers Financial Data.docx\"}, \"UserKey\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"Operation\": \"DLPRuleMatch\", \"IncidentId\": \"3066c3c5-eb56-dd03-b000-08d7ba115afd\", \"Id\": \"59652f9a-087c-4b65-b88c-b293ade34202\", \"SensitiveInfoDetectionIsIncluded\": false}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", @@ -536,7 +536,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-09T12:48:02.532170100Z", + "ingested": "2021-06-09T12:50:18.313023800Z", "original": "{\"Workload\": \"OneDrive\", \"RecordType\": 11, \"ObjectId\": \"f026407b-090a-4c15-99b5-09851842d96d\", \"OrganizationId\": \"0e1dddce-163e-4b0b-9e33-87ba56ac4655\", \"UserId\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"CreationTime\": \"2020-02-26T10:13:48\", \"UserType\": 4, \"Version\": 1, \"PolicyDetails\": [{\"Rules\": [{\"Severity\": \"High\", \"RuleId\": \"bc4d376f-b038-4695-9362-609d32f963cf\", \"ConditionsMatched\": {\"SensitiveInformation\": [{\"Count\": 42, \"Confidence\": 85, \"SensitiveType\": \"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"}, {\"Count\": 23, \"Confidence\": 85, \"SensitiveType\": \"0e9b3178-9678-47dd-a509-37222ca96b42\"}]}, \"Actions\": [\"BlockAccess\", \"NotifyUser\", \"GenerateIncidentReport\"], \"RuleName\": \"High volume of content detected France Financial\", \"ActionParameters\": [\"GenerateIncidentReport:SiteAdmin\"], \"RuleMode\": \"Enable\"}], \"PolicyName\": \"Financial Data Detection\", \"PolicyId\": \"08745d02-5d45-48bd-98e1-8199ab1efdbe\"}], \"SharePointMetaData\": {\"From\": \"ASR@TESTSIEM2.ONMICROSOFT.COM\", \"FilePathUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/INTERNAL%20CREDIT%20CARD%20NUMBERS.docx\", \"ItemLastModifiedTime\": \"2020-02-26T09:46:23\", \"SiteCollectionUrl\": \"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\", \"ItemCreationTime\": \"2020-02-26T09:44:40\", \"FileName\": \"INTERNAL CREDIT CARD NUMBERS.docx\", \"SiteCollectionGuid\": \"eae3edad-a192-43a9-b317-98d7ea5e3939\", \"UniqueID\": \"f026407b-090a-4c15-99b5-09851842d96d\", \"FileOwner\": \"Alan Smithee\"}, \"UserKey\": \"DlpPolicyEventBasedAssistantOneDriveForBusiness\", \"Operation\": \"DLPRuleMatch\", \"IncidentId\": \"f7295114-e601-f2b6-8800-08d7baa56f8b\", \"Id\": \"d69c6758-f210-43bd-bac1-563adef4b4cf\", \"SensitiveInfoDetectionIsIncluded\": false}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", @@ -650,7 +650,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-09T12:48:02.532172800Z", + "ingested": "2021-06-09T12:50:18.313026900Z", "original": "{\"Workload\": \"SharePoint\", \"SensitiveInfoDetectionIsIncluded\": false, \"OrganizationId\": \"0e1dddce-163e-4b0b-9e33-87ba56ac4655\", \"UserId\": \"DLPAgent\", \"CreationTime\": \"2020-02-26T12:39:40\", \"UserType\": 4, \"Version\": 1, \"PolicyDetails\": [{\"Rules\": [{\"Severity\": \"High\", \"RuleId\": \"121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd\", \"RuleName\": \"Low volume of content detected France Financial\", \"Actions\": [\"NotifyUser\", \"GenerateAlert\"], \"ConditionsMatched\": {\"SensitiveInformation\": [{\"Count\": 42, \"Confidence\": 85, \"SensitiveType\": \"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"}, {\"Count\": 2, \"Confidence\": 85, \"SensitiveType\": \"0e9b3178-9678-47dd-a509-37222ca96b42\"}]}, \"ActionParameters\": [\"GenerateAlert:asr@testsiem2.onmicrosoft.com\"], \"RuleMode\": \"Enable\"}], \"PolicyName\": \"Financial Data Detection\", \"PolicyId\": \"08745d02-5d45-48bd-98e1-8199ab1efdbe\"}], \"SharePointMetaData\": {\"From\": \"alice@testsiem2.onmicrosoft.com\", \"UniqueID\": \"3ace820e-9358-4520-9df6-5bd65602cef0\", \"FilePathUrl\": \"https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx\", \"ItemLastModifiedTime\": \"2020-02-26T09:56:12\", \"SiteCollectionUrl\": \"https://testsiem2.sharepoint.com/sites/Internalcommunications\", \"ItemCreationTime\": \"2020-02-26T09:55:38\", \"SiteCollectionGuid\": \"4aaa3319-df17-4ea0-a142-42cf204cfc62\", \"FileSize\": 35920, \"IsViewableByExternalUsers\": false, \"FileOwner\": \"alice@testsiem2.onmicrosoft.com\", \"FileName\": \"Document.docx\"}, \"UserKey\": \"DLPAgent\", \"Operation\": \"DLPRuleMatch\", \"IncidentId\": \"0ae82be2-e321-ab52-d000-08d7bab8fe55\", \"Id\": \"93585ace-96eb-4af1-fdb2-08d7bab8f2bd\", \"RecordType\": 11}", "code": "ComplianceDLPSharePoint", "provider": "SharePoint", @@ -764,7 +764,7 @@ }, "event": { "severity": 4, - "ingested": "2021-06-09T12:48:02.532175600Z", + "ingested": "2021-06-09T12:50:18.313029700Z", "original": "{\"Workload\": \"SharePoint\", \"SensitiveInfoDetectionIsIncluded\": false, \"OrganizationId\": \"0e1dddce-163e-4b0b-9e33-87ba56ac4655\", \"UserId\": \"DLPAgent\", \"CreationTime\": \"2020-02-26T12:39:40\", \"UserType\": 4, \"Version\": 1, \"PolicyDetails\": [{\"Rules\": [{\"Severity\": \"High\", \"RuleId\": \"121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd\", \"ConditionsMatched\": {\"SensitiveInformation\": [{\"Count\": 42, \"Confidence\": 85, \"SensitiveType\": \"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"}, {\"Count\": 2, \"Confidence\": 85, \"SensitiveType\": \"0e9b3178-9678-47dd-a509-37222ca96b42\"}]}, \"Actions\": [\"NotifyUser\", \"GenerateAlert\"], \"RuleName\": \"Low volume of content detected France Financial\", \"ActionParameters\": [\"GenerateAlert:asr@testsiem2.onmicrosoft.com\"], \"RuleMode\": \"Enable\"}], \"PolicyName\": \"Financial Data Detection\", \"PolicyId\": \"08745d02-5d45-48bd-98e1-8199ab1efdbe\"}], \"SharePointMetaData\": {\"From\": \"alice@testsiem2.onmicrosoft.com\", \"IsViewableByExternalUsers\": false, \"FilePathUrl\": \"https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx\", \"ItemLastModifiedTime\": \"2020-02-26T09:56:12\", \"SiteCollectionUrl\": \"https://testsiem2.sharepoint.com/sites/Internalcommunications\", \"ItemCreationTime\": \"2020-02-26T09:55:38\", \"FileName\": \"Document.docx\", \"SiteCollectionGuid\": \"4aaa3319-df17-4ea0-a142-42cf204cfc62\", \"FileSize\": 35920, \"UniqueID\": \"3ace820e-9358-4520-9df6-5bd65602cef0\", \"FileOwner\": \"alice@testsiem2.onmicrosoft.com\"}, \"UserKey\": \"DLPAgent\", \"Operation\": \"DLPRuleMatch\", \"IncidentId\": \"0ae82be2-e321-ab52-d000-08d7bab8fe55\", \"Id\": \"93585ace-96eb-4af1-fdb2-08d7bab8f2bd\", \"RecordType\": 11}", "code": "ComplianceDLPSharePoint", "provider": "SharePoint", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin.log-expected.json index 69def7bb68b..4c9b6b105f6 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin.log-expected.json @@ -49,7 +49,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763201500Z", + "ingested": "2021-06-09T12:50:18.547159400Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:49\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -130,7 +130,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763217400Z", + "ingested": "2021-06-09T12:50:18.547174800Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"6c3454e1-1a13-411b-bed1-08d7adfc0c09\", \"CreationTime\": \"2020-02-10T07:37:14\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -211,7 +211,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763222Z", + "ingested": "2021-06-09T12:50:18.547178900Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"b5131b23-3efb-481a-c05b-08d7ac0f2a82\", \"CreationTime\": \"2020-02-07T20:49:03\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -279,7 +279,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763225100Z", + "ingested": "2021-06-09T12:50:18.547182100Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"testsiem.onmicrosoft.com\\\\2c6709f0-beaf-4ffd-99ea-d02c796c25d3\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Organization\", \"Value\": \"testsiem.onmicrosoft.com\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Install-DefaultSharingPolicy\", \"Id\": \"ef597809-1c52-4a85-7cce-08d7adfc0939\", \"CreationTime\": \"2020-02-10T07:37:09\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -347,7 +347,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763228Z", + "ingested": "2021-06-09T12:50:18.547184900Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Organization\", \"Value\": \"testsiem.onmicrosoft.com\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Install-AdminAuditLogConfig\", \"Id\": \"362ff802-6df6-47e5-09a2-08d7adfc095b\", \"CreationTime\": \"2020-02-10T07:37:09\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -416,7 +416,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763230600Z", + "ingested": "2021-06-09T12:50:18.547187600Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Transport Settings\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-10T07:37:13\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\"}, {\"Name\": \"OrganizationFederatedMailbox\", \"Value\": \"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-TransportConfig\", \"Id\": \"ea769bfc-fa67-465c-767a-08d7adfc0b7b\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -486,7 +486,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763233300Z", + "ingested": "2021-06-09T12:50:18.547190300Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\"}, {\"Name\": \"UMDataStorage\", \"Value\": \"True\"}, {\"Name\": \"Force\", \"Value\": \"True\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\", \"Id\": \"168019d2-1e8a-4394-e90b-08d7ac0f1e69\", \"CreationTime\": \"2020-02-07T20:48:43\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -554,7 +554,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763236Z", + "ingested": "2021-06-09T12:50:18.547192800Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"InstantMessagingType\", \"Value\": \"Ocs\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:34\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-OwaMailboxPolicy\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\", \"Id\": \"0d7995da-038f-40d9-2765-08d7ac0f3d4d\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -635,7 +635,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763238700Z", + "ingested": "2021-06-09T12:50:18.547195300Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-07T20:49:20\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"Id\": \"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -716,7 +716,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763241500Z", + "ingested": "2021-06-09T12:50:18.547197900Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:17\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Id\": \"2202ec45-7abc-49dd-e35e-08d7adfc0e15\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -785,7 +785,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763244300Z", + "ingested": "2021-06-09T12:50:18.547200400Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"DoNotUpdateRecipients\", \"Value\": \"True\"}, {\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}], \"ObjectId\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-07T20:48:04\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Operation\": \"Enable-AddressListPaging\", \"Id\": \"a0063917-bb25-4c17-fe2e-08d7ac0f0769\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -866,7 +866,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763247600Z", + "ingested": "2021-06-09T12:50:18.547203300Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"RecordType\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:48:58\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"a324e83b-d1a3-4855-db2a-08d7ac0f277b\", \"OrganizationName\": \"testsiem.onmicrosoft.com\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -947,7 +947,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763250300Z", + "ingested": "2021-06-09T12:50:18.547205800Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:15\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Id\": \"ebda487f-6177-432a-e91d-08d7adfc0d0d\", \"OrganizationName\": \"testsiem.onmicrosoft.com\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1028,7 +1028,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763252900Z", + "ingested": "2021-06-09T12:50:18.547208300Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"ClientAppId\": \"\", \"RecordType\": 1, \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:09\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Id\": \"7dafe4a3-487a-46ec-dadc-08d7ac0f2e06\", \"OrganizationName\": \"testsiem.onmicrosoft.com\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1109,7 +1109,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763255600Z", + "ingested": "2021-06-09T12:50:18.547211Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"Version\": 1, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Workload\": \"Exchange\", \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"7b5e608f-0a09-4251-8922-08d7adfc0d15\", \"CreationTime\": \"2020-02-10T07:37:15\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1190,7 +1190,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763258300Z", + "ingested": "2021-06-09T12:50:18.547213600Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:49:09\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"7dafe4a3-487a-46ec-dadc-08d7ac0f2e06\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1271,7 +1271,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763304400Z", + "ingested": "2021-06-09T12:50:18.547260600Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"TenantAllowBlockLists\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"a4912729-9b49-43b3-d21f-08d7adfc0e8e\", \"CreationTime\": \"2020-02-10T07:37:18\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1339,7 +1339,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763313600Z", + "ingested": "2021-06-09T12:50:18.547269100Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"ObjectId\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:49:55\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-TenantObjectVersion\", \"Id\": \"514d0e07-410f-469c-a7f9-08d7ac0f496e\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1408,7 +1408,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763318Z", + "ingested": "2021-06-09T12:50:18.547273200Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Transport Settings\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\"}, {\"Name\": \"OrganizationFederatedMailbox\", \"Value\": \"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-TransportConfig\", \"Id\": \"ea769bfc-fa67-465c-767a-08d7adfc0b7b\", \"CreationTime\": \"2020-02-10T07:37:13\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1477,7 +1477,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763321100Z", + "ingested": "2021-06-09T12:50:18.547276400Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}, {\"Name\": \"SupervisionTags\", \"Value\": \"Reject;Allow\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-TransportConfig\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Transport Settings\", \"Id\": \"e022fa0d-13b2-4314-b707-08d7adfc0868\", \"CreationTime\": \"2020-02-10T07:37:08\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1545,7 +1545,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763323900Z", + "ingested": "2021-06-09T12:50:18.547279200Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-TenantObjectVersion\", \"ObjectId\": \"testsiem.onmicrosoft.com\", \"Id\": \"514d0e07-410f-469c-a7f9-08d7ac0f496e\", \"CreationTime\": \"2020-02-07T20:49:55\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1614,7 +1614,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763327900Z", + "ingested": "2021-06-09T12:50:18.547281800Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\"}, {\"Name\": \"OrganizationFederatedMailbox\", \"Value\": \"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:48:52\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-TransportConfig\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Transport Settings\", \"Id\": \"8a3c4f54-f2de-4717-dd56-08d7ac0f23be\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1695,7 +1695,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763330800Z", + "ingested": "2021-06-09T12:50:18.547284500Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"OMEncryptionStore\", \"Value\": \"True\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:48:49\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\", \"Id\": \"9eb764a6-fee5-4c3a-6adc-08d7ac0f220f\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1776,7 +1776,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763333600Z", + "ingested": "2021-06-09T12:50:18.547287300Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"TenantAllowBlockLists\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:18\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\", \"Id\": \"a4912729-9b49-43b3-d21f-08d7adfc0e8e\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1857,7 +1857,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763336200Z", + "ingested": "2021-06-09T12:50:18.547289900Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:48:56\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"Id\": \"d83e97f0-951c-4ccc-630e-08d7ac0f267e\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1938,7 +1938,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763338900Z", + "ingested": "2021-06-09T12:50:18.547292500Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:17\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"Id\": \"2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2019,7 +2019,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763341700Z", + "ingested": "2021-06-09T12:50:18.547295Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"Id\": \"165a283d-6f9b-4dc2-1b86-08d7ac0f273c\", \"CreationTime\": \"2020-02-07T20:48:57\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2100,7 +2100,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763344300Z", + "ingested": "2021-06-09T12:50:18.547297500Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Id\": \"979931d3-c99d-45b1-14e1-08d7ac0f3209\", \"CreationTime\": \"2020-02-07T20:49:16\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2181,7 +2181,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763346800Z", + "ingested": "2021-06-09T12:50:18.547300100Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:49:20\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\", \"Id\": \"4bddac31-664e-4432-d181-08d7ac0f34d2\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2262,7 +2262,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763349400Z", + "ingested": "2021-06-09T12:50:18.547302700Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\", \"Id\": \"4d2e1010-489d-4aa0-e300-08d7ac0f314c\", \"CreationTime\": \"2020-02-07T20:49:14\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2345,7 +2345,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763352Z", + "ingested": "2021-06-09T12:50:18.547305300Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:48:44\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"Management\", \"Value\": \"True\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"DisplayName\", \"Value\": \"Microsoft Exchange Migration\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"9 GB (9,663,676,416 bytes)\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"Migration\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"e79cb83c-25b7-4777-57f0-08d7ac0f1f74\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2426,7 +2426,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763354800Z", + "ingested": "2021-06-09T12:50:18.547307800Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"ClientAppId\": \"\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"Version\": 1, \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Workload\": \"Exchange\", \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"ee2a5c48-f068-4672-3e34-08d7adfc0bf4\", \"CreationTime\": \"2020-02-10T07:37:14\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2507,7 +2507,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763357400Z", + "ingested": "2021-06-09T12:50:18.547310300Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:14\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"d3533d4d-f62f-4731-d0c9-08d7adfc0c7b\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2588,7 +2588,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763360200Z", + "ingested": "2021-06-09T12:50:18.547312800Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\", \"CreationTime\": \"2020-02-07T20:49:20\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2669,7 +2669,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763362900Z", + "ingested": "2021-06-09T12:50:18.547315500Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:49:08\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"bc03d223-966c-4e33-6cf7-08d7ac0f2d88\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2750,7 +2750,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763365700Z", + "ingested": "2021-06-09T12:50:18.547318100Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\", \"CreationTime\": \"2020-02-07T20:49:20\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2831,7 +2831,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763368500Z", + "ingested": "2021-06-09T12:50:18.547320700Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:09\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"7a500a7f-cc56-4dfd-d740-08d7ac0f2e45\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2912,7 +2912,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763371300Z", + "ingested": "2021-06-09T12:50:18.547323200Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-07T20:49:10\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"6047e3da-8661-44a4-6fd2-08d7ac0f2e85\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2993,7 +2993,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763373900Z", + "ingested": "2021-06-09T12:50:18.547325600Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"a61cdc9a-89ef-402b-102c-08d7ac0f3592\", \"CreationTime\": \"2020-02-07T20:49:21\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3074,7 +3074,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763376500Z", + "ingested": "2021-06-09T12:50:18.547328200Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"d16f181c-257c-4d40-45e1-08d7adfc0c02\", \"CreationTime\": \"2020-02-10T07:37:14\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3152,7 +3152,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763382500Z", + "ingested": "2021-06-09T12:50:18.547330800Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"UMGrammar\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"MaxSendSize\", \"Value\": \"1 GB (1,073,741,824 bytes)\"}, {\"Name\": \"MailRouting\", \"Value\": \"True\"}, {\"Name\": \"MessageTracking\", \"Value\": \"True\"}, {\"Name\": \"OMEncryption\", \"Value\": \"True\"}, {\"Name\": \"OABGen\", \"Value\": \"True\"}, {\"Name\": \"ClientExtensions\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\"}, {\"Name\": \"GMGen\", \"Value\": \"True\"}, {\"Name\": \"SuiteServiceStorage\", \"Value\": \"True\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6\", \"CreationTime\": \"2020-02-07T20:48:42\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3222,7 +3222,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763385700Z", + "ingested": "2021-06-09T12:50:18.547333300Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}, {\"Name\": \"AdminAuditLogEnabled\", \"Value\": \"True\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:55\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-AdminAuditLogConfig\", \"Id\": \"0caecd44-0161-44e5-0e45-08d7ac0f49d6\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3291,7 +3291,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763388700Z", + "ingested": "2021-06-09T12:50:18.547335800Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Transport Settings\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:49:52\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\"}, {\"Name\": \"HygieneSuite\", \"Value\": \"Premium\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-TransportConfig\", \"Id\": \"fd804781-7d7f-4d3a-1ef0-08d7ac0f47e4\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3360,7 +3360,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763391200Z", + "ingested": "2021-06-09T12:50:18.547338400Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Transport Settings\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\"}, {\"Name\": \"OrganizationFederatedMailbox\", \"Value\": \"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}], \"Workload\": \"Exchange\", \"UserType\": 3, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:48:52\", \"ClientAppId\": \"\", \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-TransportConfig\", \"Id\": \"8a3c4f54-f2de-4717-dd56-08d7ac0f23be\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3429,7 +3429,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763394Z", + "ingested": "2021-06-09T12:50:18.547340900Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Organization\", \"Value\": \"testsiem.onmicrosoft.com\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}], \"ObjectId\": \"testsiem.onmicrosoft.com\\\\ExchangeAssistance\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"New-ExchangeAssistanceConfig\", \"Id\": \"627aa8ff-1411-475d-d202-08d7ac0f08a5\", \"CreationTime\": \"2020-02-07T20:48:06\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3512,7 +3512,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763396600Z", + "ingested": "2021-06-09T12:50:18.547343400Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"Management\", \"Value\": \"True\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"DisplayName\", \"Value\": \"Microsoft Exchange Migration\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"9 GB (9,663,676,416 bytes)\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"Migration\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:12\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\", \"Id\": \"425128e3-4281-42f6-4ec7-08d7adfc0acd\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3593,7 +3593,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763399200Z", + "ingested": "2021-06-09T12:50:18.547346Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"TenantAllowBlockLists\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:18\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\", \"Id\": \"a4912729-9b49-43b3-d21f-08d7adfc0e8e\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3674,7 +3674,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763401700Z", + "ingested": "2021-06-09T12:50:18.547348400Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:21\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Id\": \"a61cdc9a-89ef-402b-102c-08d7ac0f3592\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3755,7 +3755,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763404500Z", + "ingested": "2021-06-09T12:50:18.547351100Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Id\": \"8126fd52-b16b-45c5-6aff-08d7adfc0c97\", \"CreationTime\": \"2020-02-10T07:37:15\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3836,7 +3836,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763407Z", + "ingested": "2021-06-09T12:50:18.547353600Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:14\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\", \"Id\": \"70f24b65-0224-473b-49b8-08d7adfc0c83\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3917,7 +3917,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763409800Z", + "ingested": "2021-06-09T12:50:18.547356300Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\", \"Id\": \"515c88f2-2cbf-4214-2d9b-08d7adfc0e0f\", \"CreationTime\": \"2020-02-10T07:37:17\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3998,7 +3998,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763412300Z", + "ingested": "2021-06-09T12:50:18.547358900Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-07T20:48:57\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\", \"Id\": \"02c7f756-40e0-4c47-d49d-08d7ac0f26bd\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4079,7 +4079,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763414900Z", + "ingested": "2021-06-09T12:50:18.547361400Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:49:02\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"40786a66-fbd5-4a24-d9af-08d7ac0f2a42\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4160,7 +4160,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763418Z", + "ingested": "2021-06-09T12:50:18.547363900Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Id\": \"ebda487f-6177-432a-e91d-08d7adfc0d0d\", \"CreationTime\": \"2020-02-10T07:37:15\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4241,7 +4241,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763420900Z", + "ingested": "2021-06-09T12:50:18.547366500Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"DisplayName\", \"Value\": \"Microsoft Exchange\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"9 GB (9,663,676,416 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:48:51\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\", \"Id\": \"93d5f028-263c-45f1-dcf9-08d7ac0f2378\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4322,7 +4322,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763423600Z", + "ingested": "2021-06-09T12:50:18.547370200Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:17\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Id\": \"1eea5379-4c86-4d6f-00cf-08d7adfc0e23\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4403,7 +4403,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763426100Z", + "ingested": "2021-06-09T12:50:18.547372800Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:17\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Id\": \"2202ec45-7abc-49dd-e35e-08d7adfc0e15\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4473,7 +4473,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763428800Z", + "ingested": "2021-06-09T12:50:18.547375500Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:23\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"}, {\"Name\": \"PublicFolderHierarchyMailboxCountQuota\", \"Value\": \"100\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-RecipientEnforcementProvisioningPolicy\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\", \"Id\": \"80d8b808-c24c-4359-24cf-08d7adfc11e3\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4543,7 +4543,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763431400Z", + "ingested": "2021-06-09T12:50:18.547378Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:24\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}, {\"Name\": \"AdminAuditLogEnabled\", \"Value\": \"True\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-AdminAuditLogConfig\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\", \"Id\": \"9edbf9fe-f844-401f-e9ec-08d7adfc1242\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4624,7 +4624,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763434Z", + "ingested": "2021-06-09T12:50:18.547380600Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:15\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"Id\": \"7b5e608f-0a09-4251-8922-08d7adfc0d15\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4705,7 +4705,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763437200Z", + "ingested": "2021-06-09T12:50:18.547395500Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:17\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"Id\": \"2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4775,7 +4775,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763440Z", + "ingested": "2021-06-09T12:50:18.547400600Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}, {\"Name\": \"AdminAuditLogEnabled\", \"Value\": \"True\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-AdminAuditLogConfig\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\", \"Id\": \"9edbf9fe-f844-401f-e9ec-08d7adfc1242\", \"CreationTime\": \"2020-02-10T07:37:24\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4843,7 +4843,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763442900Z", + "ingested": "2021-06-09T12:50:18.547413900Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"InstantMessagingType\", \"Value\": \"Ocs\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-OwaMailboxPolicy\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\", \"Id\": \"0d7995da-038f-40d9-2765-08d7ac0f3d4d\", \"CreationTime\": \"2020-02-07T20:49:34\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4926,7 +4926,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763445700Z", + "ingested": "2021-06-09T12:50:18.547419600Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"Management\", \"Value\": \"True\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"DisplayName\", \"Value\": \"Microsoft Exchange Migration\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"9 GB (9,663,676,416 bytes)\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"Migration\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\", \"Id\": \"425128e3-4281-42f6-4ec7-08d7adfc0acd\", \"CreationTime\": \"2020-02-10T07:37:12\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5007,7 +5007,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763449600Z", + "ingested": "2021-06-09T12:50:18.547424600Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Id\": \"6ddabbf8-4b7c-4982-2683-08d7adfc0c10\", \"CreationTime\": \"2020-02-10T07:37:14\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5088,7 +5088,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763452500Z", + "ingested": "2021-06-09T12:50:18.547427900Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-10T07:37:13\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"DisplayName\", \"Value\": \"Microsoft Exchange\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"9 GB (9,663,676,416 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\", \"Id\": \"e6a88958-ff2a-4e9b-d681-08d7adfc0b73\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5169,7 +5169,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763455100Z", + "ingested": "2021-06-09T12:50:18.547431Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-07T20:49:02\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"f580aae6-d0d5-4204-1a13-08d7ac0f2a03\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5250,7 +5250,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763457700Z", + "ingested": "2021-06-09T12:50:18.547433600Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:48:57\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"165a283d-6f9b-4dc2-1b86-08d7ac0f273c\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5331,7 +5331,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763460100Z", + "ingested": "2021-06-09T12:50:18.547436200Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:15\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"2db154f6-63ae-4a31-c548-08d7adfc0d1d\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5412,7 +5412,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763462800Z", + "ingested": "2021-06-09T12:50:18.547438700Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-07T20:49:21\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ClientAppId\": \"\", \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"a61cdc9a-89ef-402b-102c-08d7ac0f3592\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5493,7 +5493,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763465300Z", + "ingested": "2021-06-09T12:50:18.547441300Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"2202ec45-7abc-49dd-e35e-08d7adfc0e15\", \"CreationTime\": \"2020-02-10T07:37:17\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5562,7 +5562,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763468800Z", + "ingested": "2021-06-09T12:50:18.547443900Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:48:04\", \"Parameters\": [{\"Name\": \"DoNotUpdateRecipients\", \"Value\": \"True\"}, {\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}], \"UserType\": 3, \"Version\": 1, \"ClientAppId\": \"\", \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Enable-AddressListPaging\", \"Id\": \"a0063917-bb25-4c17-fe2e-08d7ac0f0769\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5632,7 +5632,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763471500Z", + "ingested": "2021-06-09T12:50:18.547446700Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-07T20:49:55\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}, {\"Name\": \"AdminAuditLogEnabled\", \"Value\": \"True\"}], \"UserType\": 3, \"Version\": 1, \"ClientAppId\": \"\", \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-AdminAuditLogConfig\", \"Id\": \"0caecd44-0161-44e5-0e45-08d7ac0f49d6\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5701,7 +5701,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763474500Z", + "ingested": "2021-06-09T12:50:18.547460800Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"testsiem.onmicrosoft.com\\\\ExchangeAssistance15\", \"UserType\": 3, \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"Version\": 1, \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:24\", \"Parameters\": [{\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\"}, {\"Name\": \"PrivacyStatementURL\", \"Value\": \"http://go.microsoft.com/fwlink/?LinkID=259417\"}, {\"Name\": \"PrivacyLinkDisplayEnabled\", \"Value\": \"True\"}], \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-ExchangeAssistanceConfig\", \"Id\": \"2cb36c1c-1368-4483-9801-08d7adfc11fe\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5771,7 +5771,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763478900Z", + "ingested": "2021-06-09T12:50:18.547465300Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:23\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"}, {\"Name\": \"PublicFolderHierarchyMailboxCountQuota\", \"Value\": \"100\"}], \"UserType\": 3, \"Version\": 1, \"ClientAppId\": \"\", \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-RecipientEnforcementProvisioningPolicy\", \"Id\": \"80d8b808-c24c-4359-24cf-08d7adfc11e3\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5839,7 +5839,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763481700Z", + "ingested": "2021-06-09T12:50:18.547468600Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-10T07:37:24\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-TenantObjectVersion\", \"ObjectId\": \"testsiem.onmicrosoft.com\", \"Id\": \"a9fb5fce-4ce4-43eb-f429-08d7adfc122c\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5909,7 +5909,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763484500Z", + "ingested": "2021-06-09T12:50:18.547484800Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}, {\"Name\": \"User\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management\"}, {\"Name\": \"AccessRights\", \"Value\": \"FullAccess\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:49:49\", \"ClientAppId\": \"\", \"Version\": 1, \"ResultStatus\": \"True\", \"UserType\": 3, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Add-MailboxPermission\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\", \"Id\": \"5f84ceaa-e6df-4ba1-1085-08d7ac0f4646\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5977,7 +5977,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763487100Z", + "ingested": "2021-06-09T12:50:18.547488700Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\", \"Id\": \"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\", \"CreationTime\": \"2020-02-07T20:49:49\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6047,7 +6047,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763489700Z", + "ingested": "2021-06-09T12:50:18.547491700Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}, {\"Name\": \"AdminAuditLogEnabled\", \"Value\": \"True\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:55\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-AdminAuditLogConfig\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\", \"Id\": \"0caecd44-0161-44e5-0e45-08d7ac0f49d6\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6128,7 +6128,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763492300Z", + "ingested": "2021-06-09T12:50:18.547494500Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"OMEncryptionStore\", \"Value\": \"True\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"Workload\": \"Exchange\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\", \"Id\": \"7386959b-a0d0-459e-baf8-08d7adfc0b4b\", \"CreationTime\": \"2020-02-10T07:37:12\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6209,7 +6209,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763494900Z", + "ingested": "2021-06-09T12:50:18.547497300Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"Id\": \"7b5e608f-0a09-4251-8922-08d7adfc0d15\", \"CreationTime\": \"2020-02-10T07:37:15\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6290,7 +6290,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763497800Z", + "ingested": "2021-06-09T12:50:18.547499800Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"CreationTime\": \"2020-02-07T20:49:03\", \"ClientAppId\": \"\", \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"Id\": \"96b98335-ab19-4e22-31e0-08d7ac0f2ac2\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6371,7 +6371,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763500500Z", + "ingested": "2021-06-09T12:50:18.547502200Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:49:21\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Id\": \"a61cdc9a-89ef-402b-102c-08d7ac0f3592\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6452,7 +6452,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763503100Z", + "ingested": "2021-06-09T12:50:18.547504900Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\", \"Id\": \"5cd5fc38-5b48-47d6-2e47-08d7ac0f2b01\", \"CreationTime\": \"2020-02-07T20:49:04\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6533,7 +6533,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763505600Z", + "ingested": "2021-06-09T12:50:18.547507600Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"Workload\": \"Exchange\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Id\": \"ff48ffeb-5c2a-468f-9113-08d7ac0f3512\", \"CreationTime\": \"2020-02-07T20:49:21\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6614,7 +6614,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763508200Z", + "ingested": "2021-06-09T12:50:18.547510100Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:14\", \"UserType\": 3, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"ClientAppId\": \"\", \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Id\": \"d16f181c-257c-4d40-45e1-08d7adfc0c02\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6695,7 +6695,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763510800Z", + "ingested": "2021-06-09T12:50:18.547515900Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"RecordType\": 1, \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\", \"Id\": \"02c7f756-40e0-4c47-d49d-08d7ac0f26bd\", \"CreationTime\": \"2020-02-07T20:48:57\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6765,7 +6765,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763513200Z", + "ingested": "2021-06-09T12:50:18.547520400Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"ClientAppId\": \"\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:21\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}, {\"Name\": \"User\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management\"}, {\"Name\": \"AccessRights\", \"Value\": \"FullAccess\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Add-MailboxPermission\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\", \"Id\": \"86a8ddaf-15d2-44b4-62d5-08d7adfc1062\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6846,7 +6846,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763515700Z", + "ingested": "2021-06-09T12:50:18.547523200Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"ClientAppId\": \"\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\", \"Id\": \"8b544cbd-f42b-4910-82ef-08d7ac0f26fc\", \"CreationTime\": \"2020-02-07T20:48:57\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6927,7 +6927,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763519Z", + "ingested": "2021-06-09T12:50:18.547538400Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"ClientAppId\": \"\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"DisplayName\", \"Value\": \"Microsoft Exchange\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"9 GB (9,663,676,416 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\", \"Id\": \"e6a88958-ff2a-4e9b-d681-08d7adfc0b73\", \"CreationTime\": \"2020-02-10T07:37:13\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6996,7 +6996,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763521800Z", + "ingested": "2021-06-09T12:50:18.547541900Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"ClientAppId\": \"\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-10T07:37:07\", \"Parameters\": [{\"Name\": \"DoNotUpdateRecipients\", \"Value\": \"True\"}, {\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}], \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Enable-AddressListPaging\", \"ObjectId\": \"testsiem.onmicrosoft.com\", \"Id\": \"d7134fa4-2e25-4a7d-d84d-08d7adfc0802\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -7077,7 +7077,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763524500Z", + "ingested": "2021-06-09T12:50:18.547544700Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"UserType\": 3, \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"ClientAppId\": \"\", \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"ee2a5c48-f068-4672-3e34-08d7adfc0bf4\", \"CreationTime\": \"2020-02-10T07:37:14\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -7145,7 +7145,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763527400Z", + "ingested": "2021-06-09T12:50:18.547547400Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Resource Schema\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-07T20:48:32\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"Organization\", \"Value\": \"testsiem.onmicrosoft.com\"}], \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Install-ResourceConfig\", \"Id\": \"060e0f74-72a7-40d1-30fa-08d7ac0f17d8\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -7215,7 +7215,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763530100Z", + "ingested": "2021-06-09T12:50:18.547550200Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"}, {\"Name\": \"PublicFolderHierarchyMailboxCountQuota\", \"Value\": \"100\"}], \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:23\", \"ClientAppId\": \"\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-RecipientEnforcementProvisioningPolicy\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\", \"Id\": \"80d8b808-c24c-4359-24cf-08d7adfc11e3\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -7293,7 +7293,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763532500Z", + "ingested": "2021-06-09T12:50:18.547552800Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Workload\": \"Exchange\", \"Parameters\": [{\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"UMGrammar\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"MaxSendSize\", \"Value\": \"1 GB (1,073,741,824 bytes)\"}, {\"Name\": \"MailRouting\", \"Value\": \"True\"}, {\"Name\": \"MessageTracking\", \"Value\": \"True\"}, {\"Name\": \"OMEncryption\", \"Value\": \"True\"}, {\"Name\": \"OABGen\", \"Value\": \"True\"}, {\"Name\": \"ClientExtensions\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\"}, {\"Name\": \"GMGen\", \"Value\": \"True\"}, {\"Name\": \"SuiteServiceStorage\", \"Value\": \"True\"}], \"UserType\": 3, \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-07T20:48:42\", \"ClientAppId\": \"\", \"Version\": 1, \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\", \"Id\": \"27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -7374,7 +7374,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763535Z", + "ingested": "2021-06-09T12:50:18.547555700Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"Version\": 1, \"ClientAppId\": \"\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"AppId\": \"\", \"CreationTime\": \"2020-02-10T07:37:16\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Workload\": \"Exchange\", \"ResultStatus\": \"True\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"c6db95ea-9eae-4b58-d692-08d7adfc0d98\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -7444,7 +7444,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763537500Z", + "ingested": "2021-06-09T12:50:18.547558400Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"Version\": 1, \"ClientAppId\": \"\", \"ObjectId\": \"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"CreationTime\": \"2020-02-07T20:49:52\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Parameters\": [{\"Name\": \"DomainController\", \"Value\": \"\"}, {\"Name\": \"IgnoreDehydratedFlag\", \"Value\": \"True\"}, {\"Name\": \"Identity\", \"Value\": \"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"}, {\"Name\": \"PublicFolderHierarchyMailboxCountQuota\", \"Value\": \"100\"}], \"UserType\": 3, \"Workload\": \"Exchange\", \"ResultStatus\": \"True\", \"AppId\": \"\", \"ExternalAccess\": true, \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Operation\": \"Set-RecipientEnforcementProvisioningPolicy\", \"Id\": \"c706f54e-1b00-43ed-5b06-08d7ac0f47a6\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -7525,7 +7525,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763540200Z", + "ingested": "2021-06-09T12:50:18.547560900Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"Version\": 1, \"ClientAppId\": \"\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T07:37:15\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"UserType\": 3, \"Workload\": \"Exchange\", \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\", \"Id\": \"fcd82149-fc1c-4866-e16d-08d7adfc0cff\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -7608,7 +7608,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763542800Z", + "ingested": "2021-06-09T12:50:18.547563900Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"Version\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\", \"Parameters\": [{\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"Management\", \"Value\": \"True\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"DisplayName\", \"Value\": \"Microsoft Exchange Migration\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"9 GB (9,663,676,416 bytes)\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"Migration\", \"Value\": \"True\"}, {\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"10 GB (10,737,418,240 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}], \"UserType\": 3, \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ClientAppId\": \"\", \"Workload\": \"Exchange\", \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"e79cb83c-25b7-4777-57f0-08d7ac0f1f74\", \"CreationTime\": \"2020-02-07T20:48:44\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -7689,7 +7689,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:02.763545500Z", + "ingested": "2021-06-09T12:50:18.547566400Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (15.20.207.17)\", \"Version\": 1, \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\", \"ClientAppId\": \"\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"ExternalAccess\": true, \"UserId\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"Parameters\": [{\"Name\": \"RecoverableItemsQuota\", \"Value\": \"30 GB (32,212,254,720 bytes)\"}, {\"Name\": \"Force\", \"Value\": \"True\"}, {\"Name\": \"Arbitration\", \"Value\": \"True\"}, {\"Name\": \"QuarantineMessageStore\", \"Value\": \"True\"}, {\"Name\": \"ProhibitSendQuota\", \"Value\": \"99 GB (106,300,440,576 bytes)\"}, {\"Name\": \"HiddenFromAddressListsEnabled\", \"Value\": \"True\"}, {\"Name\": \"SCLDeleteEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLQuarantineEnabled\", \"Value\": \"False\"}, {\"Name\": \"SCLRejectEnabled\", \"Value\": \"False\"}, {\"Name\": \"UseDatabaseQuotaDefaults\", \"Value\": \"False\"}, {\"Name\": \"RecoverableItemsWarningQuota\", \"Value\": \"20 GB (21,474,836,480 bytes)\"}, {\"Name\": \"IssueWarningQuota\", \"Value\": \"90 GB (96,636,764,160 bytes)\"}, {\"Name\": \"Identity\", \"Value\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"}, {\"Name\": \"ProhibitSendReceiveQuota\", \"Value\": \"100 GB (107,374,182,400 bytes)\"}, {\"Name\": \"SCLJunkEnabled\", \"Value\": \"False\"}], \"UserType\": 3, \"Workload\": \"Exchange\", \"ResultStatus\": \"True\", \"AppId\": \"\", \"UserKey\": \"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"e9e580ee-ac04-436f-9214-08d7adfc0d8b\", \"CreationTime\": \"2020-02-10T07:37:16\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item.log-expected.json index b90a1175b4c..29841a427c4 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item.log-expected.json @@ -72,7 +72,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-09T12:48:06.283084700Z", + "ingested": "2021-06-09T12:50:22.078177Z", "original": "{\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"UserKey\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"Create\",\"ClientIPAddress\":\"::1\",\"Item\":{\"InternetMessageId\":\"\u003cAM6PR01MB4535D305187FEC8127CF8EDFEE160@AM6PR01MB4535.eurprd01.prod.exchangelabs.com\u003e\",\"IsRecord\":false,\"Id\":\"RgAAAACklF6sEsJgSK/ulVd531/WBwCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAACzgXIUnq3lQqXFeCmxHwmHAAAAABULAAAJ\",\"Attachments\":\"warming_email_03_2017_calendar.png (599b); warming_email_03_2017_conversation.png (614b); warming_email_03_2017_links.png (1403b); google_play_store_badge.png (4824b); apple_store_badge.png (4446b); windows_store_badge.png (3681b); warming_email_03_2017_files.png (809b); warming_email_03_2017_sharePoint.png (1432b)\",\"ParentFolder\":{\"Path\":\"\\\\Inbox\",\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAAAB\"},\"Subject\":\"The new SIEMTest group is ready\"},\"LogonUserSid\":\"S-1-5-18\",\"OriginatingServer\":\"AM6PR01MB4535 (15.20.225.32)\\n\",\"RecordType\":2,\"Version\":1,\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"ResultStatus\":\"Succeeded\",\"ExternalAccess\":true,\"LogonType\":1,\"ClientIP\":\"::1\",\"Workload\":\"Exchange\",\"InternalLogonType\":1,\"UserId\":\"S-1-5-18\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"UserType\":2}", "code": "ExchangeItem", "provider": "Exchange", @@ -164,7 +164,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-09T12:48:06.283110Z", + "ingested": "2021-06-09T12:50:22.078197400Z", "original": "{\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"UserKey\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ClientIPAddress\":\"::1\",\"Item\":{\"InternetMessageId\":\"\u003cDB3PR0102MB35003D203E5553CBC1B8AAEAE2160@DB3PR0102MB3500.eurprd01.prod.exchangelabs.com\u003e\",\"IsRecord\":false,\"Id\":\"RgAAAABQ7FIOAzxlR4hKCRQRbTbvBwBTdQb34omtRrZGvP+4ONQkAAAAAAEMAABTdQb34omtRrZGvP+4ONQkAAAAAA0lAAAJ\",\"ParentFolder\":{\"Path\":\"\\\\Inbox\",\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAEMAAAB\"},\"Attachments\":\"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)\",\"Subject\":\"The new All Company group is ready\"},\"LogonUserSid\":\"S-1-5-18\",\"RecordType\":2,\"OriginatingServer\":\"DB3PR0102MB3500 (15.20.225.32)\\n\",\"Version\":1,\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"ResultStatus\":\"Succeeded\",\"LogonType\":1,\"ExternalAccess\":true,\"ClientIP\":\"::1\",\"Workload\":\"Exchange\",\"InternalLogonType\":1,\"UserId\":\"S-1-5-18\",\"CreationTime\":\"2020-02-17T08:53:46\",\"Id\":\"c0790552-9989-4e91-cba4-08d7b386e642\",\"UserType\":2}", "code": "ExchangeItem", "provider": "Exchange", @@ -256,7 +256,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-09T12:48:06.283113800Z", + "ingested": "2021-06-09T12:50:22.078200600Z", "original": "{\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"UserKey\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"Create\",\"ClientIPAddress\":\"::1\",\"Item\":{\"InternetMessageId\":\"\u003cDB7PR01MB442884FC2132AE2A909799BAFC160@DB7PR01MB4428.eurprd01.prod.exchangelabs.com\u003e\",\"IsRecord\":false,\"Id\":\"RgAAAABkkJvTy6NaRYV8EL+vMtzZBwAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAk6unHVumCRJNhRrAMRwYLAAAAAAk9AAAJ\",\"ParentFolder\":{\"Path\":\"\\\\Inbox\",\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAB\"},\"Attachments\":\"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)\",\"Subject\":\"The new All Company group is ready\"},\"LogonUserSid\":\"S-1-5-18\",\"RecordType\":2,\"OriginatingServer\":\"DB7PR01MB4428 (15.20.207.31)\\n\",\"Version\":1,\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"ResultStatus\":\"Succeeded\",\"ExternalAccess\":true,\"LogonType\":1,\"ClientIP\":\"::1\",\"Workload\":\"Exchange\",\"InternalLogonType\":1,\"UserId\":\"S-1-5-18\",\"CreationTime\":\"2020-02-17T08:53:31\",\"Id\":\"c6b58ed7-a54a-47cf-a301-08d7b386dd7c\",\"UserType\":2}", "code": "ExchangeItem", "provider": "Exchange", @@ -348,7 +348,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-09T12:48:06.283116700Z", + "ingested": "2021-06-09T12:50:22.078203Z", "original": "{\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"UserKey\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"ModifyFolderPermissions\",\"ClientIPAddress\":\"::1\",\"Item\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"ParentFolder\":{\"Path\":\"\\\\Calendar\",\"MemberRights\":\"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-2005823449-1144108501-1529089953-3087822558-1\",\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\"}},\"LogonUserSid\":\"S-1-5-18\",\"RecordType\":2,\"OriginatingServer\":\"DB3PR0102MB3500 (15.20.225.32)\",\"Version\":1,\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"ResultStatus\":\"Succeeded\",\"ExternalAccess\":true,\"LogonType\":1,\"ClientIP\":\"::1\",\"Workload\":\"Exchange\",\"InternalLogonType\":1,\"UserId\":\"S-1-5-18\",\"CreationTime\":\"2020-02-17T08:53:41\",\"Id\":\"815684be-4e52-4cb2-9242-08d7b386e333\",\"UserType\":2}", "code": "ExchangeItem", "provider": "Exchange", @@ -440,7 +440,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-09T12:48:06.283119500Z", + "ingested": "2021-06-09T12:50:22.078205200Z", "original": "{\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"UserKey\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"ModifyFolderPermissions\",\"ClientIPAddress\":\"::1\",\"Item\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"ParentFolder\":{\"Path\":\"\\\\Calendar\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-1750167797-1192043064-2586004354-3182407426-0\",\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\"}},\"LogonUserSid\":\"S-1-5-18\",\"RecordType\":2,\"OriginatingServer\":\"DB7PR01MB4428 (15.20.207.31)\\n\",\"Version\":1,\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"ResultStatus\":\"Succeeded\",\"ExternalAccess\":true,\"LogonType\":1,\"ClientIP\":\"::1\",\"Workload\":\"Exchange\",\"InternalLogonType\":1,\"UserId\":\"S-1-5-18\",\"CreationTime\":\"2020-02-17T08:53:22\",\"Id\":\"f5b56c26-18aa-4984-822e-08d7b386d7e2\",\"UserType\":2}", "code": "ExchangeItem", "provider": "Exchange", @@ -532,7 +532,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-09T12:48:06.283122100Z", + "ingested": "2021-06-09T12:50:22.078207500Z", "original": "{\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"UserKey\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"ModifyFolderPermissions\",\"ClientIPAddress\":\"::1\",\"Item\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"ParentFolder\":{\"Path\":\"\\\\Calendar\",\"MemberRights\":\"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-1750167797-1192043064-2586004354-3182407426-1\",\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\"}},\"LogonUserSid\":\"S-1-5-18\",\"OriginatingServer\":\"DB7PR01MB4428 (15.20.207.31)\\n\",\"RecordType\":2,\"Version\":1,\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"ResultStatus\":\"Succeeded\",\"LogonType\":1,\"ExternalAccess\":true,\"ClientIP\":\"::1\",\"Workload\":\"Exchange\",\"InternalLogonType\":1,\"UserId\":\"S-1-5-18\",\"CreationTime\":\"2020-02-17T08:53:22\",\"Id\":\"25ccad93-82ad-4742-5231-08d7b386d7e6\",\"UserType\":2}", "code": "ExchangeItem", "provider": "Exchange", @@ -624,7 +624,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-09T12:48:06.283124700Z", + "ingested": "2021-06-09T12:50:22.078209800Z", "original": "{\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"UserKey\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"ModifyFolderPermissions\",\"ClientIPAddress\":\"::1\",\"Item\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"ParentFolder\":{\"Path\":\"\\\\Calendar\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-2005823449-1144108501-1529089953-3087822558-0\",\"MemberUpn\":\"Owner@local\",\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"Name\":\"Calendar\"}},\"LogonUserSid\":\"S-1-5-18\",\"OriginatingServer\":\"DB3PR0102MB3500 (15.20.225.32)\\n\",\"RecordType\":2,\"Version\":1,\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"ResultStatus\":\"Succeeded\",\"LogonType\":1,\"ExternalAccess\":true,\"ClientIP\":\"::1\",\"Workload\":\"Exchange\",\"InternalLogonType\":1,\"UserId\":\"S-1-5-18\",\"CreationTime\":\"2020-02-17T08:53:41\",\"Id\":\"edb9bb1f-9629-43a1-0a57-08d7b386e31c\",\"UserType\":2}", "code": "ExchangeItem", "provider": "Exchange", @@ -716,7 +716,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-09T12:48:06.283127Z", + "ingested": "2021-06-09T12:50:22.078212Z", "original": "{\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"UserKey\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"ModifyFolderPermissions\",\"ClientIPAddress\":\"::1\",\"Item\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"ParentFolder\":{\"Path\":\"\\\\Calendar\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-640184314-1174341437-2555636127-1766693009-1\",\"MemberUpn\":\"Member@local\",\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"Name\":\"Calendar\"}},\"LogonUserSid\":\"S-1-5-18\",\"OriginatingServer\":\"AM6PR01MB4535 (15.20.225.32)\\n\",\"RecordType\":2,\"Version\":1,\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"ResultStatus\":\"Succeeded\",\"LogonType\":1,\"ExternalAccess\":true,\"ClientIP\":\"::1\",\"Workload\":\"Exchange\",\"InternalLogonType\":1,\"UserId\":\"S-1-5-18\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"df63d186-b4d9-49a8-748c-08d7b3cc81fb\",\"UserType\":2}", "code": "ExchangeItem", "provider": "Exchange", @@ -808,7 +808,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-06-09T12:48:06.283129400Z", + "ingested": "2021-06-09T12:50:22.078214200Z", "original": "{\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"UserKey\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ClientIPAddress\":\"::1\",\"Item\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"ParentFolder\":{\"Path\":\"\\\\Calendar\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-640184314-1174341437-2555636127-1766693009-0\",\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\"}},\"LogonUserSid\":\"S-1-5-18\",\"OriginatingServer\":\"AM6PR01MB4535 (15.20.225.32)\\n\",\"RecordType\":2,\"Version\":1,\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"ResultStatus\":\"Succeeded\",\"ExternalAccess\":true,\"LogonType\":1,\"ClientIP\":\"::1\",\"Workload\":\"Exchange\",\"InternalLogonType\":1,\"UserId\":\"S-1-5-18\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"284dfe85-ab53-48ad-0863-08d7b3cc81f7\",\"UserType\":2}", "code": "ExchangeItem", "provider": "Exchange", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats.log-expected.json index d15e380d488..7eb26447cf1 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats.log-expected.json @@ -26,7 +26,7 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-06-09T12:48:06.648672600Z", + "ingested": "2021-06-09T12:50:22.448610300Z", "original": "{\"ClientIP\":\"[10.11.12.13]:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -71,7 +71,7 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-06-09T12:48:06.648694700Z", + "ingested": "2021-06-09T12:50:22.448623700Z", "original": "{\"ClientIP\":\"10.11.12.13:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -114,7 +114,7 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-06-09T12:48:06.648699100Z", + "ingested": "2021-06-09T12:50:22.448626600Z", "original": "{\"ClientIP\":\"10.11.12.13\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -157,7 +157,7 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-06-09T12:48:06.648701900Z", + "ingested": "2021-06-09T12:50:22.448629500Z", "original": "{\"ClientIP\":\"::ffff:10.11.12.13\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -202,7 +202,7 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-06-09T12:48:06.648704200Z", + "ingested": "2021-06-09T12:50:22.448631600Z", "original": "{\"ClientIP\":\"[::ffff:10.11.12.13]:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -247,7 +247,7 @@ "ip": "2001:db8::abcd" }, "event": { - "ingested": "2021-06-09T12:48:06.648706600Z", + "ingested": "2021-06-09T12:50:22.448633800Z", "original": "{\"ClientIP\":\"[2001:db8::abcd]:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -290,7 +290,7 @@ "ip": "2001:db8::abcd" }, "event": { - "ingested": "2021-06-09T12:48:06.648708900Z", + "ingested": "2021-06-09T12:50:22.448636Z", "original": "{\"ClientIP\":\"2001:db8::abcd\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -324,7 +324,7 @@ "domain": "[2001:db8::abcd]" }, "event": { - "ingested": "2021-06-09T12:48:06.648711300Z", + "ingested": "2021-06-09T12:50:22.448638200Z", "original": "{\"ClientIP\":\"[2001:db8::abcd]\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -355,7 +355,7 @@ "domain": "[10.11.12.13]" }, "event": { - "ingested": "2021-06-09T12:48:06.648713700Z", + "ingested": "2021-06-09T12:50:22.448640500Z", "original": "{\"ClientIP\":\"[10.11.12.13]\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -386,7 +386,7 @@ "domain": "localhost" }, "event": { - "ingested": "2021-06-09T12:48:06.648716100Z", + "ingested": "2021-06-09T12:50:22.448642700Z", "original": "{\"ClientIP\":\"localhost\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -417,7 +417,7 @@ "domain": "[localhost]:12345" }, "event": { - "ingested": "2021-06-09T12:48:06.648718400Z", + "ingested": "2021-06-09T12:50:22.448645200Z", "original": "{\"ClientIP\":\"[localhost]:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -448,7 +448,7 @@ "domain": "localhost:12345" }, "event": { - "ingested": "2021-06-09T12:48:06.648720800Z", + "ingested": "2021-06-09T12:50:22.448647500Z", "original": "{\"ClientIP\":\"localhost:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -479,7 +479,7 @@ "domain": "[cool.client.local]:12345" }, "event": { - "ingested": "2021-06-09T12:48:06.648723200Z", + "ingested": "2021-06-09T12:50:22.448649700Z", "original": "{\"ClientIP\":\"[cool.client.local]:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -510,7 +510,7 @@ "domain": "cool.client.local" }, "event": { - "ingested": "2021-06-09T12:48:06.648725800Z", + "ingested": "2021-06-09T12:50:22.448653600Z", "original": "{\"ClientIP\":\"cool.client.local\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -541,7 +541,7 @@ "domain": "cool.client.local:12345" }, "event": { - "ingested": "2021-06-09T12:48:06.648728100Z", + "ingested": "2021-06-09T12:50:22.448656100Z", "original": "{\"ClientIP\":\"cool.client.local:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams.log-expected.json index 43989136272..941c8412f96 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams.log-expected.json @@ -25,7 +25,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:06.851666300Z", + "ingested": "2021-06-09T12:50:22.655661200Z", "original": "{\"RecordType\":25,\"Version\":1,\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"UserId\":\"Application\",\"UserKey\":\"\",\"CreationTime\":\"2020-02-17T16:59:44\",\"TeamName\":\"SIEMTest\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"TeamCreated\",\"Id\":\"49fa9883-50a9-4c9c-8e12-57e0948a9d8a\",\"UserType\":5,\"Workload\":\"MicrosoftTeams\"}", "code": "MicrosoftTeams", "provider": "MicrosoftTeams", @@ -113,7 +113,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:06.851683900Z", + "ingested": "2021-06-09T12:50:22.655673400Z", "original": "{\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"UserKey\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"TeamName\":\"SIEMTest\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"MemberAdded\",\"Workload\":\"MicrosoftTeams\",\"RecordType\":25,\"Version\":1,\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"CreationTime\":\"2020-02-17T16:59:47\",\"ItemName\":\"SIEMTest\",\"Id\":\"3a951c24-3214-5529-b2fe-097628a39ecd\",\"UserType\":0,\"Members\":[{\"Role\":1,\"UPN\":\"david@testsiem.onmicrosoft.com\",\"DisplayName\":\"David\"},{\"Role\":1,\"UPN\":\"chuck@testsiem.onmicrosoft.com\",\"DisplayName\":\"Chuck\"},{\"Role\":1,\"UPN\":\"bob@testsiem.onmicrosoft.com\",\"DisplayName\":\"Bob\"},{\"Role\":1,\"UPN\":\"alice@testsiem.onmicrosoft.com\",\"DisplayName\":\"Alice\"}]}", "code": "MicrosoftTeams", "provider": "MicrosoftTeams", @@ -183,7 +183,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:06.851687500Z", + "ingested": "2021-06-09T12:50:22.655676200Z", "original": "{\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"UserKey\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"TeamName\":\"SIEMTest\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"MemberAdded\",\"Workload\":\"MicrosoftTeams\",\"RecordType\":25,\"Version\":1,\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"CreationTime\":\"2020-02-17T16:59:44\",\"ItemName\":\"SIEMTest\",\"Id\":\"3350cfd2-1020-5b11-99d8-2701f3a29ea3\",\"UserType\":0,\"Members\":[{\"Role\":2,\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"DisplayName\":\"Alan Smithee\"}]}", "code": "MicrosoftTeams", "provider": "MicrosoftTeams", @@ -241,7 +241,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:06.851690300Z", + "ingested": "2021-06-09T12:50:22.655678600Z", "original": "{\"RecordType\":25,\"Version\":1,\"ObjectId\":\"Unknown (Unknown)\",\"UserId\":\"bob@testsiem.onmicrosoft.com\",\"UserKey\":\"d0e0cfb0-284d-4b0a-83fe-dd543a1c1ed0\",\"CreationTime\":\"2020-02-17T16:59:34\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Id\":\"d7636db2-859f-437e-8dff-573726578ad7\",\"Operation\":\"TeamsSessionStarted\",\"UserType\":0,\"Workload\":\"MicrosoftTeams\"}", "code": "MicrosoftTeams", "provider": "MicrosoftTeams", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts.log-expected.json index 555f0e52c30..acf3baceb99 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts.log-expected.json @@ -47,7 +47,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:06.967302200Z", + "ingested": "2021-06-09T12:50:22.747811900Z", "original": "{\"Category\": \"AccessGovernance\", \"UserKey\": \"SecurityComplianceAlerts\", \"Operation\": \"AlertEntityGenerated\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AlertEntityId\" : \"asr@testsiem.onmicrosoft.com\", \"Source\" : \"Office 365 Security \u0026 Compliance\", \"Name\" : \"Elevation of Exchange admin privilege\", \"AlertType\" : \"System\", \"RecordType\" : 40, \"Version\" : 1, \"Status\" : \"Active\", \"ObjectId\" : \"asr@testsiem.onmicrosoft.com\", \"ResultStatus\" : \"Succeeded\", \"Comments\" : \"New alert\", \"AlertLinks\" : [ { \"AlertLinkHref\" : \"http://example.net/alert\" }, { \"AlertLinkHref\" : \"http://example.net/info\" } ], \"Severity\" : \"Low\", \"Data\" : \"{\\\"etype\\\":\\\"User\\\",\\\"eid\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"tid\\\":\\\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\\\",\\\"ts\\\":\\\"2020-02-14T18:54:45.0000000Z\\\",\\\"te\\\":\\\"2020-02-14T18:54:45.0000000Z\\\",\\\"op\\\":\\\"GrantAdminPermission\\\",\\\"tdc\\\":\\\"1\\\",\\\"suid\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"ut\\\":\\\"Admin\\\",\\\"lon\\\":\\\"GrantAdminPermission\\\"}\", \"Workload\" : \"SecurityComplianceCenter\", \"EntityType\" : \"User\", \"AlertId\" : \"5ba6e029-8b6e-13bd-b800-08d7b180173c\", \"UserId\" : \"SecurityComplianceAlerts\", \"CreationTime\" : \"2020-02-14T19:00:00\", \"Id\" : \"448854d7-81f6-4a06-d31a-08d7b1c1fb2f\", \"UserType\" : 4, \"PolicyId\" : \"17d51759-88e1-40c1-8df3-20bcf2e43057\" }", "code": "SecurityComplianceAlerts", "provider": "SecurityComplianceCenter", @@ -110,7 +110,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:06.967318200Z", + "ingested": "2021-06-09T12:50:22.747824800Z", "original": "{ \"Status\" : \"Active\", \"Category\" : \"AccessGovernance\", \"ResultStatus\" : \"Succeeded\", \"ObjectId\" : \"5ba6e029-8b6e-13bd-b800-08d7b180173c\", \"Comments\" : \"New alert\", \"UserKey\" : \"SecurityComplianceAlerts\", \"AlertLinks\" : [ { \"AlertLinkHref\" : \"http://example.net/single\" } ], \"Data\" : \"{\\\"f3u\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"ts\\\":\\\"2020-02-14T18:45:00.0000000Z\\\",\\\"te\\\":\\\"2020-02-14T19:00:00.0000000Z\\\",\\\"op\\\":\\\"GrantAdminPermission\\\",\\\"wl\\\":\\\"Exchange\\\",\\\"tid\\\":\\\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\\\",\\\"tdc\\\":\\\"1\\\",\\\"reid\\\":\\\"23a5e271-e297-4f35-ff57-08d7b17f5bf2\\\",\\\"rid\\\":\\\"f81f1b69-dc60-4ded-918e-e17d5c73b29f\\\",\\\"cid\\\":\\\"17d51759-88e1-40c1-8df3-20bcf2e43057\\\",\\\"ad\\\":\\\"This alert is triggered when someone in your organization becomes an Exchange admin or gets new Exchange admin permissions -V1.0.0.1\\\",\\\"lon\\\":\\\"GrantAdminPermission\\\",\\\"an\\\":\\\"Elevation of Exchange admin privilege\\\",\\\"sev\\\":\\\"Low\\\"}\", \"Severity\" : \"Low\", \"Operation\" : \"AlertTriggered\", \"OrganizationId\" : \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"Source\" : \"Office 365 Security \u0026 Compliance\", \"Workload\" : \"SecurityComplianceCenter\", \"Name\" : \"Elevation of Exchange admin privilege\", \"AlertType\" : \"System\", \"AlertId\" : \"5ba6e029-8b6e-13bd-b800-08d7b180173c\", \"RecordType\" : 40, \"Version\" : 1, \"UserId\" : \"SecurityComplianceAlerts\", \"CreationTime\" : \"2020-02-14T19:00:00\", \"Id\" : \"7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22\", \"UserType\" : 4, \"PolicyId\" : \"17d51759-88e1-40c1-8df3-20bcf2e43057\" }", "code": "SecurityComplianceAlerts", "provider": "SecurityComplianceCenter", @@ -172,7 +172,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-06-09T12:48:06.967321600Z", + "ingested": "2021-06-09T12:50:22.747827800Z", "original": "{ \"Status\" : \"Active\", \"Category\" : \"ThreatManagement\", \"ResultStatus\" : \"Succeeded\", \"ObjectId\" : \"12345678-8b6e-13bd-b800-08d7b180173c\", \"Comments\" : \"This is a phony threat alert\", \"UserKey\" : \"SecurityComplianceAlerts\", \"AlertLinks\" : [], \"Data\" : \"{\\\"something\\\":\\\"blabla\\\"}\", \"Severity\" : \"High\", \"Operation\" : \"AlertTriggered\", \"OrganizationId\" : \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"Source\" : \"Office 365 Security \u0026 Compliance\", \"Workload\" : \"SecurityComplianceCenter\", \"Name\" : \"Phony Malware Alert\", \"AlertType\" : \"System\", \"AlertId\" : \"1233344-8b6e-13bd-b800-08d7b180173c\", \"RecordType\" : 40, \"Version\" : 1, \"UserId\" : \"SecurityComplianceAlerts\", \"CreationTime\" : \"2020-02-14T19:00:00\", \"Id\" : \"7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22\", \"UserType\" : 4, \"PolicyId\" : \"17d51759-88e1-40c1-8df3-20bcf2e43057\", \"AlertEntityId\" : \"Malware/Evil.Malware.B\", \"EntityType\" : \"MalwareFamily\"}", "code": "SecurityComplianceAlerts", "provider": "SecurityComplianceCenter", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint.log-expected.json index 9dda11c0c51..21842982180 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint.log-expected.json @@ -71,7 +71,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:48:07.068651800Z", + "ingested": "2021-06-09T12:50:22.838533800Z", "original": "{\"ListItemUniqueId\": \"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\", \"ItemType\": \"Page\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\", \"Workload\": \"OneDrive\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Id\": \"99d005e6-a4c6-46fd-117c-08d7abeceab5\", \"CustomUniqueId\": true, \"UserType\": 0, \"Version\": 1, \"EventSource\": \"SharePoint\", \"CorrelationId\": \"622b339f-4000-a000-f25f-92b3478c7a25\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"ClientIP\": \"213.97.47.133\", \"Operation\": \"PageViewed\", \"CreationTime\": \"2020-02-07T16:43:53\", \"RecordType\": 4}", "code": "SharePoint", "provider": "OneDrive", @@ -177,7 +177,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:48:07.068666300Z", + "ingested": "2021-06-09T12:50:22.838547800Z", "original": "{\"ListItemUniqueId\": \"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\", \"ItemType\": \"Page\", \"Workload\": \"OneDrive\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"CreationTime\": \"2020-02-07T16:43:53\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"ClientIP\": \"213.97.47.133\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"UserType\": 0, \"Version\": 1, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"CustomUniqueId\": true, \"Operation\": \"PageViewed\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\", \"Id\": \"99d005e6-a4c6-46fd-117c-08d7abeceab5\", \"CorrelationId\": \"622b339f-4000-a000-f25f-92b3478c7a25\", \"RecordType\": 4}", "code": "SharePoint", "provider": "OneDrive", @@ -283,7 +283,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:48:07.068669900Z", + "ingested": "2021-06-09T12:50:22.838550700Z", "original": "{\"UserId\": \"asr@testsiem.onmicrosoft.com\", \"ListItemUniqueId\": \"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\", \"RecordType\": 4, \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\", \"Workload\": \"OneDrive\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"UserType\": 0, \"CreationTime\": \"2020-02-07T16:43:53\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"ClientIP\": \"213.97.47.133\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"Version\": 1, \"EventSource\": \"SharePoint\", \"CustomUniqueId\": true, \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"Operation\": \"PageViewed\", \"Id\": \"99d005e6-a4c6-46fd-117c-08d7abeceab5\", \"CorrelationId\": \"622b339f-4000-a000-f25f-92b3478c7a25\", \"ItemType\": \"Page\"}", "code": "SharePoint", "provider": "OneDrive", @@ -389,7 +389,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:48:07.068672800Z", + "ingested": "2021-06-09T12:50:22.838553400Z", "original": "{\"Workload\": \"OneDrive\", \"Version\": 1, \"RecordType\": 4, \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"CreationTime\": \"2020-02-07T16:43:53\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Id\": \"99d005e6-a4c6-46fd-117c-08d7abeceab5\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"UserType\": 0, \"ListItemUniqueId\": \"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\", \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"CustomUniqueId\": true, \"ClientIP\": \"213.97.47.133\", \"Operation\": \"PageViewed\", \"CorrelationId\": \"622b339f-4000-a000-f25f-92b3478c7a25\", \"ItemType\": \"Page\"}", "code": "SharePoint", "provider": "OneDrive", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop.log-expected.json index 9755ba8d384..5fd0ca2aeaa 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop.log-expected.json @@ -79,7 +79,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:48:07.270266900Z", + "ingested": "2021-06-09T12:50:23.028005900Z", "original": "{\"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:07\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"SourceRelativeUrl\": \"Documents\", \"RecordType\": 6, \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"png\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"652b339f-908c-a000-f25f-91423da7dd9b\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SourceFileName\": \"Screenshot 2020-01-27 at 11.30.48.png\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"ItemType\": \"File\", \"ListItemUniqueId\": \"4803608a-df7d-4f63-aa73-67aa33bb576e\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Version\": 1, \"Operation\": \"FileDeleted\", \"Id\": \"ec04aa09-0a43-4879-cdc8-08d7abecf327\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -195,7 +195,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:48:07.270281200Z", + "ingested": "2021-06-09T12:50:23.028019100Z", "original": "{\"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:07\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"Version\": 1, \"SourceRelativeUrl\": \"Documents\", \"ItemType\": \"File\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"png\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"652b339f-908c-a000-f25f-91423da7dd9b\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SourceFileName\": \"Screenshot 2020-01-27 at 11.30.48.png\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"RecordType\": 6, \"ListItemUniqueId\": \"4803608a-df7d-4f63-aa73-67aa33bb576e\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Operation\": \"FileDeleted\", \"Id\": \"ec04aa09-0a43-4879-cdc8-08d7abecf327\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -311,7 +311,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:48:07.270284600Z", + "ingested": "2021-06-09T12:50:23.028022200Z", "original": "{\"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:08\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"Version\": 1, \"SourceRelativeUrl\": \"Documents/Forms\", \"ItemType\": \"File\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"aspx\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"652b339f-90a0-a000-f25f-919afc141eb1\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SourceFileName\": \"All.aspx\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"RecordType\": 6, \"ListItemUniqueId\": \"ff3631c1-6189-45c7-ad45-c15cea9e9255\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Operation\": \"FileAccessed\", \"Id\": \"25b08f04-48ee-4755-ce22-08d7abecf3a9\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -427,7 +427,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:48:07.270287200Z", + "ingested": "2021-06-09T12:50:23.028024800Z", "original": "{\"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:08\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"Version\": 1, \"SourceRelativeUrl\": \"Documents/Forms\", \"RecordType\": 6, \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"aspx\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"652b339f-90a0-a000-f25f-919afc141eb1\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SourceFileName\": \"All.aspx\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"ItemType\": \"File\", \"ListItemUniqueId\": \"ff3631c1-6189-45c7-ad45-c15cea9e9255\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Operation\": \"FileAccessed\", \"Id\": \"25b08f04-48ee-4755-ce22-08d7abecf3a9\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -544,7 +544,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:48:07.270291100Z", + "ingested": "2021-06-09T12:50:23.028027Z", "original": "{\"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:21\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"Version\": 1, \"SourceRelativeUrl\": \"Documents\", \"ImplicitShare\": \"No\", \"RecordType\": 6, \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"png\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"692b339f-c016-a000-f25f-990a07b2e011\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SourceFileName\": \"Screenshot.png\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"ItemType\": \"File\", \"ListItemUniqueId\": \"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Operation\": \"FileUploaded\", \"Id\": \"dac93a9f-f2fb-4cac-d18f-08d7abecfbb6\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -660,7 +660,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:48:07.270293900Z", + "ingested": "2021-06-09T12:50:23.028029300Z", "original": "{\"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:23\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"Version\": 1, \"SourceRelativeUrl\": \"Documents\", \"RecordType\": 6, \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"png\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"692b339f-902e-a000-f25f-95def5f17903\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SourceFileName\": \"Screenshot.png\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"ItemType\": \"File\", \"ListItemUniqueId\": \"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Operation\": \"FileModified\", \"Id\": \"5b02fadb-8eac-4aff-af87-08d7abecfca3\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -776,7 +776,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:48:07.270296800Z", + "ingested": "2021-06-09T12:50:23.028031400Z", "original": "{\"SourceRelativeUrl\": \"Documents\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:07\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"Version\": 1, \"RecordType\": 6, \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"png\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"652b339f-908c-a000-f25f-91423da7dd9b\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"SourceFileName\": \"Screenshot 2020-01-27 at 11.30.48.png\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"ItemType\": \"File\", \"ListItemUniqueId\": \"4803608a-df7d-4f63-aa73-67aa33bb576e\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Operation\": \"FileDeleted\", \"Id\": \"ec04aa09-0a43-4879-cdc8-08d7abecf327\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -893,7 +893,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:48:07.270299300Z", + "ingested": "2021-06-09T12:50:23.028033400Z", "original": "{\"SourceRelativeUrl\": \"Documents\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:21\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"Version\": 1, \"ImplicitShare\": \"No\", \"ItemType\": \"File\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"png\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"692b339f-c016-a000-f25f-990a07b2e011\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"SourceFileName\": \"Screenshot.png\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"RecordType\": 6, \"ListItemUniqueId\": \"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Operation\": \"FileUploaded\", \"Id\": \"dac93a9f-f2fb-4cac-d18f-08d7abecfbb6\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -1009,7 +1009,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:48:07.270301700Z", + "ingested": "2021-06-09T12:50:23.028035500Z", "original": "{\"SourceRelativeUrl\": \"Documents\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:23\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"ItemType\": \"File\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"png\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"692b339f-902e-a000-f25f-95def5f17903\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SourceFileName\": \"Screenshot.png\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"RecordType\": 6, \"ListItemUniqueId\": \"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Version\": 1, \"Operation\": \"FileModified\", \"Id\": \"5b02fadb-8eac-4aff-af87-08d7abecfca3\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -1125,7 +1125,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:48:07.270304200Z", + "ingested": "2021-06-09T12:50:23.028037600Z", "original": "{\"SourceRelativeUrl\": \"Documents\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:23\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"Version\": 1, \"ItemType\": \"File\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"png\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"692b339f-902e-a000-f25f-95def5f17903\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"SourceFileName\": \"Screenshot.png\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"RecordType\": 6, \"ListItemUniqueId\": \"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Operation\": \"FileModified\", \"Id\": \"5b02fadb-8eac-4aff-af87-08d7abecfca3\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -1241,7 +1241,7 @@ "ip": "213.97.47.133" }, "event": { - "ingested": "2021-06-09T12:48:07.270306600Z", + "ingested": "2021-06-09T12:50:23.028039800Z", "original": "{\"SourceRelativeUrl\": \"Documents\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T16:44:23\", \"ListId\": \"2b6ad2bd-0fd7-4556-9c89-a97847085b85\", \"Version\": 1, \"RecordType\": 6, \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"SourceFileExtension\": \"png\", \"UserType\": 0, \"EventSource\": \"SharePoint\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"ClientIP\": \"213.97.47.133\", \"CorrelationId\": \"692b339f-902e-a000-f25f-95def5f17903\", \"Workload\": \"OneDrive\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"SiteUrl\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\", \"SourceFileName\": \"Screenshot.png\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"ItemType\": \"File\", \"ListItemUniqueId\": \"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"Operation\": \"FileModified\", \"Id\": \"5b02fadb-8eac-4aff-af87-08d7abecfca3\"}", "code": "SharePointFileOperation", "provider": "OneDrive", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op.log-expected.json index 1f620a22620..a1b1046df70 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op.log-expected.json @@ -43,7 +43,7 @@ }, "client": {}, "event": { - "ingested": "2021-06-09T12:48:07.800332700Z", + "ingested": "2021-06-09T12:50:23.553097500Z", "original": "{\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"ItemType\":\"Web\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"TargetUserOrGroupName\":\"Everyone except external users\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"ClientIP\":\"\",\"EventData\":\"\u003cGroup\u003eSite Members\u003c/Group\u003e\",\"Workload\":\"SharePoint\",\"EventSource\":\"SharePoint\",\"RecordType\":14,\"TargetUserOrGroupType\":\"SecurityGroup\",\"Version\":1,\"UserId\":\"app@sharepoint\",\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"CreationTime\":\"2020-02-17T16:59:50\",\"UserAgent\":\"\",\"Id\":\"4d1a6a2b-360c-423d-96e5-08d7b3cacd83\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "SharePoint", @@ -115,7 +115,7 @@ }, "client": {}, "event": { - "ingested": "2021-06-09T12:48:07.800347200Z", + "ingested": "2021-06-09T12:50:23.553111500Z", "original": "{\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"ItemType\":\"Web\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"TargetUserOrGroupName\":\"SHAREPOINT\\\\system\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"ClientIP\":\"\",\"EventData\":\"\u003cGroup\u003eSite Owners\u003c/Group\u003e\",\"Workload\":\"SharePoint\",\"EventSource\":\"SharePoint\",\"RecordType\":14,\"Version\":1,\"TargetUserOrGroupType\":\"Member\",\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"UserId\":\"app@sharepoint\",\"UserAgent\":\"\",\"CreationTime\":\"2020-02-17T16:59:50\",\"Id\":\"56696ec0-5a7e-4561-5e88-08d7b3cacd4a\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "SharePoint", @@ -187,7 +187,7 @@ }, "client": {}, "event": { - "ingested": "2021-06-09T12:48:07.800350500Z", + "ingested": "2021-06-09T12:50:23.553115100Z", "original": "{\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"ItemType\":\"Web\",\"TargetUserOrGroupName\":\"SIEMTest Owners\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"ClientIP\":\"\",\"EventData\":\"\u003cGroup\u003eSite Owners\u003c/Group\u003e\",\"Workload\":\"SharePoint\",\"EventSource\":\"SharePoint\",\"RecordType\":14,\"Version\":1,\"TargetUserOrGroupType\":\"SecurityGroup\",\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"UserId\":\"app@sharepoint\",\"CreationTime\":\"2020-02-17T16:59:50\",\"UserAgent\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"Id\":\"b8c880ff-e8fe-407c-9ce9-08d7b3cacd07\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "SharePoint", @@ -259,7 +259,7 @@ }, "client": {}, "event": { - "ingested": "2021-06-09T12:48:07.800353300Z", + "ingested": "2021-06-09T12:50:23.553117500Z", "original": "{\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"ItemType\":\"Web\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"TargetUserOrGroupName\":\"SIEMTest Members\",\"Operation\":\"AddedToGroup\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ClientIP\":\"\",\"EventData\":\"\u003cGroup\u003eSite Members\u003c/Group\u003e\",\"Workload\":\"SharePoint\",\"EventSource\":\"SharePoint\",\"RecordType\":14,\"Version\":1,\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserId\":\"app@sharepoint\",\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"UserAgent\":\"\",\"CreationTime\":\"2020-02-17T16:59:50\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"Id\":\"483f657f-9141-45fc-b141-08d7b3caccfb\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "SharePoint", @@ -331,7 +331,7 @@ }, "client": {}, "event": { - "ingested": "2021-06-09T12:48:07.800355700Z", + "ingested": "2021-06-09T12:50:23.553119800Z", "original": "{\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"ItemType\":\"Web\",\"TargetUserOrGroupName\":\"SHAREPOINT\\\\system\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ClientIP\":\"\",\"EventData\":\"\u003cGroup\u003eSite Owners\u003c/Group\u003e\",\"Workload\":\"SharePoint\",\"EventSource\":\"SharePoint\",\"RecordType\":14,\"TargetUserOrGroupType\":\"Member\",\"Version\":1,\"UserId\":\"app@sharepoint\",\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"CreationTime\":\"2020-02-17T16:59:49\",\"UserAgent\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"Id\":\"13004a30-d15a-48a5-16ec-08d7b3caccc0\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "SharePoint", @@ -433,7 +433,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:48:07.800358100Z", + "ingested": "2021-06-09T12:50:23.553122Z", "original": "{\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com//personal/asr_testsiem_onmicrosoft_com/Sharing Links\",\"ItemType\":\"List\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"SharingInheritanceBroken\",\"ClientIP\":\"79.159.10.151\",\"EventData\":\"\u003ccopyRoleAssignments\u003eFalse\u003c/copyRoleAssignments\u003e\u003cclearSubScopes\u003eFalse\u003c/clearSubScopes\u003e\",\"Workload\":\"OneDrive\",\"SourceRelativeUrl\":\"Sharing Links\",\"EventSource\":\"SharePoint\",\"ListId\":\"b108938d-3546-4359-925d-a1b54b4db8c2\",\"RecordType\":14,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"CreationTime\":\"2020-02-14T18:25:45\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"Id\":\"dd162cd7-5df5-4fef-078a-08d7b17b4e95\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "OneDrive", @@ -545,7 +545,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:48:07.800360400Z", + "ingested": "2021-06-09T12:50:23.553124200Z", "original": "{\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"ItemType\":\"File\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"AnonymousLinkCreated\",\"EventData\":\"\u003cType\u003eEdit\u003c/Type\u003e\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"RecordType\":14,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"UniqueSharingId\":\"d323b5ea-ceca-4d65-a628-e22ca9296a76\",\"SourceFileName\":\"Screenshot.png\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"ClientIP\":\"79.159.10.151\",\"Workload\":\"OneDrive\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"EventSource\":\"SharePoint\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"CreationTime\":\"2020-02-14T18:25:45\",\"Id\":\"1cb54d72-3a76-4a7c-7b3d-08d7b17b4ec9\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "OneDrive", @@ -658,7 +658,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:48:07.800362900Z", + "ingested": "2021-06-09T12:50:23.553126400Z", "original": "{\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"ItemType\":\"File\",\"TargetUserOrGroupName\":\"SharingLinks.7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8.AnonymousEdit.d323b5ea-ceca-4d65-a628-e22ca9296a76\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"EventData\":\"\u003cPermissions granted\u003eContribute\u003c/Permissions granted\u003e\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"RecordType\":14,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"SourceFileName\":\"Screenshot.png\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"ClientIP\":\"79.159.10.151\",\"SourceFileExtension\":\"png\",\"Workload\":\"OneDrive\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"EventSource\":\"SharePoint\",\"TargetUserOrGroupType\":\"SharePointGroup\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"CreationTime\":\"2020-02-14T18:25:45\",\"Id\":\"a8c23ab8-9447-4824-3208-08d7b17b4e5e\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "OneDrive", @@ -771,7 +771,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:48:07.800365300Z", + "ingested": "2021-06-09T12:50:23.553128600Z", "original": "{\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"TargetUserOrGroupName\":\"Limited Access System Group\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"ItemType\":\"File\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"SharingSet\",\"EventData\":\"\u003cPermissions granted\u003eLimited Access\u003c/Permissions granted\u003e\",\"RecordType\":14,\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"SourceFileName\":\"Screenshot.png\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"ClientIP\":\"79.159.10.151\",\"Workload\":\"OneDrive\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"EventSource\":\"SharePoint\",\"TargetUserOrGroupType\":\"SharePointGroup\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"CreationTime\":\"2020-02-14T18:25:44\",\"Id\":\"88a041e3-2f3a-483c-cf76-08d7b17b4e5b\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "OneDrive", @@ -884,7 +884,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:48:07.800367800Z", + "ingested": "2021-06-09T12:50:23.553130700Z", "original": "{\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"ItemType\":\"File\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"TargetUserOrGroupName\":\"4da1e7f54501bb99b6e0ab2ff8749842152ac02ff8c0c8017b0e40e6b67fecdd\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"SharingSet\",\"EventData\":\"\u003cPermissions granted\u003eSystem.LimitedEdit\u003c/Permissions granted\u003e\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"RecordType\":14,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"SourceFileName\":\"Screenshot.png\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"ClientIP\":\"79.159.10.151\",\"SourceFileExtension\":\"png\",\"Workload\":\"OneDrive\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"EventSource\":\"SharePoint\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"CreationTime\":\"2020-02-14T18:25:44\",\"Id\":\"98633e47-3540-4e8a-bcfc-08d7b17b4e48\",\"UserType\":0}", "code": "SharePointSharingOperation", "provider": "OneDrive", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer.log-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer.log-expected.json index fae046b60ef..f6fee278520 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer.log-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer.log-expected.json @@ -68,7 +68,7 @@ "ip": "79.159.10.151" }, "event": { - "ingested": "2021-06-09T12:48:08.223704Z", + "ingested": "2021-06-09T12:50:23.966539400Z", "original": "{\"ObjectId\":\"Sales\",\"Id\":\"2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594\",\"CreationTime\":\"2020-02-28T09:42:45\",\"UserKey\":\"100320009d6edf94\",\"YammerNetworkId\":5846122497,\"Operation\":\"GroupCreation\",\"ClientIP\":\"79.159.10.151:12345\",\"ActorYammerUserId\":36787265537,\"UserType\":0,\"ResultStatus\":\"TRUE\",\"RecordType\":22,\"Workload\":\"Yammer\",\"Version\":1,\"GroupName\":\"Sales\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"UserId\":\"alice@testsiem2.onmicrosoft.com\",\"ActorUserId\":\"alice@testsiem2.onmicrosoft.com\"}", "code": "Yammer", "provider": "Yammer", @@ -146,7 +146,7 @@ "ip": "fdfd::555" }, "event": { - "ingested": "2021-06-09T12:48:08.223718600Z", + "ingested": "2021-06-09T12:50:23.966553Z", "original": "{\"CreationTime\":\"2020-02-28T09:39:20\",\"ActorUserId\":\"asr@testsiem2.onmicrosoft.com\",\"ObjectId\":\"Company group\",\"UserKey\":\"100320009d292e16\",\"Id\":\"3f3e7f1c-84c1-55fc-9bb2-c8b8563eae06\",\"ActorYammerUserId\":36085768193,\"ClientIP\":\"[fdfd::555]:12346\",\"UserId\":\"asr@testsiem2.onmicrosoft.com\",\"Operation\":\"GroupCreation\",\"ResultStatus\":\"TRUE\",\"UserType\":0,\"Workload\":\"Yammer\",\"Version\":1,\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"YammerNetworkId\":5846122497,\"RecordType\":22,\"GroupName\":\"Company group\"}", "code": "Yammer", "provider": "Yammer", diff --git a/packages/o365/data_stream/audit/manifest.yml b/packages/o365/data_stream/audit/manifest.yml index 1a9c28b8d59..3ef613fee70 100644 --- a/packages/o365/data_stream/audit/manifest.yml +++ b/packages/o365/data_stream/audit/manifest.yml @@ -91,6 +91,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + template_path: o365audit.yml.hbs - input: logfile title: "Collect Office 365 audit logs via log files" @@ -141,3 +142,4 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/o365/manifest.yml b/packages/o365/manifest.yml index 64577a5b082..7259e0ec703 100644 --- a/packages/o365/manifest.yml +++ b/packages/o365/manifest.yml @@ -1,6 +1,6 @@ name: o365 title: Office 365 -version: 0.4.0 +version: 0.5.0 release: experimental description: Office 365 Integration type: integration From 023d3e17f15eb9c0b774c0802f8b545bb0f4b00d Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Fri, 11 Jun 2021 10:50:00 +0200 Subject: [PATCH 3/3] update config --- .../data_stream/audit/agent/stream/o365audit.yml.hbs | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/packages/o365/data_stream/audit/agent/stream/o365audit.yml.hbs b/packages/o365/data_stream/audit/agent/stream/o365audit.yml.hbs index ecea19e0dc5..bd8a46aa18c 100644 --- a/packages/o365/data_stream/audit/agent/stream/o365audit.yml.hbs +++ b/packages/o365/data_stream/audit/agent/stream/o365audit.yml.hbs @@ -23,9 +23,6 @@ publisher_pipeline.disable_host: true {{/contains}} {{#if tenant_names}} processors: -{{#if processors}} -{{processors}} -{{/if}} - add_fields: target: '_conf.tenants' fields: @@ -33,4 +30,11 @@ processors: {{#each tenant_names as |entry i|}} - {{entry.id}}: {{entry.name}} {{/each}} +{{else}} +{{#if processors}} +processors: +{{/if}} +{{/if}} +{{#if processors}} +{{processors}} {{/if}} \ No newline at end of file