diff --git a/Aruba Network/aruba-os/_meta/smart-descriptions.json b/Aruba Network/aruba-os/_meta/smart-descriptions.json index e9d572d79..c92ae7678 100644 --- a/Aruba Network/aruba-os/_meta/smart-descriptions.json +++ b/Aruba Network/aruba-os/_meta/smart-descriptions.json @@ -4,12 +4,34 @@ "conditions": [ { "field": "source.ip" }, { "field": "user.name" }, - { "field": "event.reason" } + { "field": "event.reason" }, + { "field": "event.dataset" } ] }, { "value": "{event.dataset} event from {source.ip}: {event.reason}", - "conditions": [{ "field": "source.ip" }, { "field": "event.reason" }] + "conditions": [ + { "field": "source.ip" }, + { "field": "event.reason" }, + { "field": "event.dataset" } + ] + }, + { + "value": "{event.category} event for user '{user.name}' from {source.ip}: {event.reason}", + "conditions": [ + { "field": "source.ip" }, + { "field": "user.name" }, + { "field": "event.reason" }, + { "field": "event.category" } + ] + }, + { + "value": "{event.category} event from {source.ip}: {event.reason}", + "conditions": [ + { "field": "source.ip" }, + { "field": "event.reason" }, + { "field": "event.category" } + ] }, { "value": "{event.reason}", diff --git a/Aruba Network/aruba-os/ingest/parser.yml b/Aruba Network/aruba-os/ingest/parser.yml index 8f38ca817..3e7d4fcc6 100644 --- a/Aruba Network/aruba-os/ingest/parser.yml +++ b/Aruba Network/aruba-os/ingest/parser.yml @@ -4,7 +4,32 @@ pipeline: external: name: grok.match properties: - pattern: '%{DATA:prefix}\:\s*%{USERNAME:obs}\s*\:\s*%{GREEDYDATA:payload}\s*' + pattern: "%{SYSLOG}|%{DEFAULT}" + custom_patterns: + SYSLOG: '<%{NUMBER:code}> <%{NUMBER}> (<%{WORD}> )?<%{WORD} %{IP:src_ip}>\s*(%{WORD}:\s*)?\s*%{GREEDYDATA:syslog_payload}' + DEFAULT: '%{DATA:prefix}\:\s*%{USERNAME:obs}\s*\:\s*%{GREEDYDATA:payload}\s*' + + - name: parse_syslog_message + external: + name: grok.match + properties: + input_field: "parse_message.message.syslog_payload" + pattern: "%{USER_INFO}|%{FORMAT_133121}|%{KV_PART}" + custom_patterns: + FORMAT_133121: "%{DATA} to %{IP:dst_ip}(:%{NUMBER:dst_port})? with %{GREEDYDATA}" + KV_PART: '%{DATA:payload}.\s*%{GREEDYDATA:kv_part}' + USER_INFO: "User %{USERNAME:user_name}.*?" + filter: "{{ parse_message.message.get('syslog_payload') != None }}" + + - name: syslog_parse_kv_part_message + external: + name: kv.parse-kv + properties: + input_field: "{{parse_syslog_message.message.kv_part}}" + output_field: message + value_sep: "=" + item_sep: \s + filter: "{{ parse_syslog_message.message.get('kv_part') != None }}" - name: parse_auth_message external: @@ -77,7 +102,30 @@ pipeline: - name: set_misc_fields filter: "{{ parse_message.message.prefix.lower() not in ('auth', 'mgr', 'ssl', 'sntp', 'snmp', 'dhcp-snoop') }}" + - name: set_syslog_fields + filter: "{{ parse_message.message.get('syslog_payload') != None }}" + stages: + set_syslog_fields: + actions: + - set: + event.category: ["network"] + event.type: ["info"] + event.reason: "{{ parse_message.message.syslog_payload }}" + source.ip: "{{ parse_message.message.src_ip }}" + destination.domain: "{{ syslog_parse_kv_part_message.message.servername }}" + destination.ip: "{{ parse_syslog_message.message.dst_ip or syslog_parse_kv_part_message.message.serverip }}" + destination.port: "{{ parse_syslog_message.message.dst_port }}" + user.name: "{{ parse_syslog_message.message.user_name or syslog_parse_kv_part_message.message.username }}" + + - set: + source.ip: "{{ syslog_parse_kv_part_message.message.userip }}" + filter: "{{ syslog_parse_kv_part_message.message.get('userip') != None }}" + + - set: + event.category: ["authentication"] + filter: "{{ 'authentication' in parse_message.message.syslog_payload.lower() }}" + set_ecs_fields: actions: - set: diff --git a/Aruba Network/aruba-os/tests/test_other_10.json b/Aruba Network/aruba-os/tests/test_other_10.json new file mode 100644 index 000000000..ad35ce19b --- /dev/null +++ b/Aruba Network/aruba-os/tests/test_other_10.json @@ -0,0 +1,32 @@ +{ + "input": { + "message": "<133006> <6069> User admin Failed Authentication (Processing USER_REQUEST on UserDB)" + }, + "expected": { + "message": "<133006> <6069> User admin Failed Authentication (Processing USER_REQUEST on UserDB)", + "event": { + "category": [ + "authentication" + ], + "reason": "User admin Failed Authentication (Processing USER_REQUEST on UserDB)", + "type": [ + "info" + ] + }, + "related": { + "ip": [ + "10.33.17.8" + ], + "user": [ + "admin" + ] + }, + "source": { + "address": "10.33.17.8", + "ip": "10.33.17.8" + }, + "user": { + "name": "admin" + } + } +} \ No newline at end of file diff --git a/Aruba Network/aruba-os/tests/test_other_11.json b/Aruba Network/aruba-os/tests/test_other_11.json new file mode 100644 index 000000000..349233d90 --- /dev/null +++ b/Aruba Network/aruba-os/tests/test_other_11.json @@ -0,0 +1,32 @@ +{ + "input": { + "message": "<133019> <6069> User admin was not found in the database" + }, + "expected": { + "message": "<133019> <6069> User admin was not found in the database", + "event": { + "category": [ + "network" + ], + "reason": "User admin was not found in the database", + "type": [ + "info" + ] + }, + "related": { + "ip": [ + "10.33.17.8" + ], + "user": [ + "admin" + ] + }, + "source": { + "address": "10.33.17.8", + "ip": "10.33.17.8" + }, + "user": { + "name": "admin" + } + } +} \ No newline at end of file diff --git a/Aruba Network/aruba-os/tests/test_other_12.json b/Aruba Network/aruba-os/tests/test_other_12.json new file mode 100644 index 000000000..8627828f1 --- /dev/null +++ b/Aruba Network/aruba-os/tests/test_other_12.json @@ -0,0 +1,32 @@ +{ + "input": { + "message": "<133121> <6069> make_response: Sending USERDB_REJ-msg to 127.0.0.1:8214 with msgtype:23 id:232 reqtype:1 dbtype:0" + }, + "expected": { + "message": "<133121> <6069> make_response: Sending USERDB_REJ-msg to 127.0.0.1:8214 with msgtype:23 id:232 reqtype:1 dbtype:0", + "event": { + "category": [ + "network" + ], + "reason": "Sending USERDB_REJ-msg to 127.0.0.1:8214 with msgtype:23 id:232 reqtype:1 dbtype:0", + "type": [ + "info" + ] + }, + "destination": { + "address": "127.0.0.1", + "ip": "127.0.0.1", + "port": 8214 + }, + "related": { + "ip": [ + "1.2.3.4", + "127.0.0.1" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } +} \ No newline at end of file diff --git a/Aruba Network/aruba-os/tests/test_other_13.json b/Aruba Network/aruba-os/tests/test_other_13.json new file mode 100644 index 000000000..2ee0a9aad --- /dev/null +++ b/Aruba Network/aruba-os/tests/test_other_13.json @@ -0,0 +1,41 @@ +{ + "input": { + "message": "<522274> <5962> Mgmt User Authentication failed. username=admin userip=1.2.3.4 servername=Internal serverip=3.4.5.6" + }, + "expected": { + "message": "<522274> <5962> Mgmt User Authentication failed. username=admin userip=1.2.3.4 servername=Internal serverip=3.4.5.6", + "event": { + "category": [ + "authentication" + ], + "reason": "Mgmt User Authentication failed. username=admin userip=1.2.3.4 servername=Internal serverip=3.4.5.6", + "type": [ + "info" + ] + }, + "destination": { + "address": "Internal", + "domain": "Internal", + "ip": "3.4.5.6" + }, + "related": { + "hosts": [ + "Internal" + ], + "ip": [ + "1.2.3.4", + "3.4.5.6" + ], + "user": [ + "admin" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "admin" + } + } +} \ No newline at end of file diff --git a/Aruba Network/aruba-os/tests/test_other_14.json b/Aruba Network/aruba-os/tests/test_other_14.json new file mode 100644 index 000000000..bafe1ca21 --- /dev/null +++ b/Aruba Network/aruba-os/tests/test_other_14.json @@ -0,0 +1,32 @@ +{ + "input": { + "message": "<133006> <6069> User TEST_USER Failed Authentication (Processing USER_REQUEST on UserDB)" + }, + "expected": { + "message": "<133006> <6069> User TEST_USER Failed Authentication (Processing USER_REQUEST on UserDB)", + "event": { + "category": [ + "authentication" + ], + "reason": "User TEST_USER Failed Authentication (Processing USER_REQUEST on UserDB)", + "type": [ + "info" + ] + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "TEST_USER" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "TEST_USER" + } + } +} \ No newline at end of file diff --git a/Aruba Network/aruba-os/tests/test_other_15.json b/Aruba Network/aruba-os/tests/test_other_15.json new file mode 100644 index 000000000..f657ee2e0 --- /dev/null +++ b/Aruba Network/aruba-os/tests/test_other_15.json @@ -0,0 +1,32 @@ +{ + "input": { + "message": "<133121> <6069> make_response: Sending USERDB_REJ-msg to 2.3.4.5:8214 with msgtype:23 id:17 reqtype:1 dbtype:0" + }, + "expected": { + "message": "<133121> <6069> make_response: Sending USERDB_REJ-msg to 2.3.4.5:8214 with msgtype:23 id:17 reqtype:1 dbtype:0", + "event": { + "category": [ + "network" + ], + "reason": "Sending USERDB_REJ-msg to 2.3.4.5:8214 with msgtype:23 id:17 reqtype:1 dbtype:0", + "type": [ + "info" + ] + }, + "destination": { + "address": "2.3.4.5", + "ip": "2.3.4.5", + "port": 8214 + }, + "related": { + "ip": [ + "1.2.3.4", + "2.3.4.5" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } +} \ No newline at end of file diff --git a/Aruba Network/aruba-os/tests/test_other_9.json b/Aruba Network/aruba-os/tests/test_other_9.json new file mode 100644 index 000000000..9db43c6b9 --- /dev/null +++ b/Aruba Network/aruba-os/tests/test_other_9.json @@ -0,0 +1,32 @@ +{ + "input": { + "message": "<133006> <6069> User TEST_USER Failed Authentication (Processing USER_REQUEST on UserDB)" + }, + "expected": { + "message": "<133006> <6069> User TEST_USER Failed Authentication (Processing USER_REQUEST on UserDB)", + "event": { + "category": [ + "authentication" + ], + "reason": "User TEST_USER Failed Authentication (Processing USER_REQUEST on UserDB)", + "type": [ + "info" + ] + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "TEST_USER" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "TEST_USER" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-intune/ingest/parser.yml b/Microsoft/microsoft-intune/ingest/parser.yml index 18825b70f..4bef605b6 100644 --- a/Microsoft/microsoft-intune/ingest/parser.yml +++ b/Microsoft/microsoft-intune/ingest/parser.yml @@ -9,7 +9,9 @@ pipeline: properties: input_field: "{{json_event.message.time}}" output_field: datetime + - name: set_common_fields + filter: "{{json_event.message.category in ['AuditLogs', 'DeviceComplianceOrg', 'Devices', 'OperationalLogs']}}" stages: set_common_fields: @@ -21,28 +23,28 @@ stages: action.target: "user" action.type: "{{json_event.message.category}}" event.type: ["info"] + microsoft.intune.compliant_state: "{{json_event.message.properties.CompliantState}}" host.id: "{{json_event.message.properties.DeviceId}}" - - set: - host.mac: ["{{json_event.message.properties.WifiMacAddress}}"] - filter: "{{json_event.message.properties.WifiMacAddress != null}}" - - set: host.name: "{{json_event.message.properties.DeviceHostName}}" - - set: - host.name: "{{json_event.message.properties.DeviceName or json_event.message.properties.ManagedDeviceName}}" - filter: "{{final.host.name == null}}" - - set: host.type: "{{json_event.message.properties.Model}}" - microsoft.intune.compliant_state: "{{json_event.message.properties.CompliantState}}" - network.application: "{{json_event.message.ApplicationName}}" host.os.full: "{{json_event.message.properties.OS}}" host.os.version: "{{json_event.message.properties.OSVersion}}" + network.application: "{{json_event.message.ApplicationName}}" service.name: "{{json_event.message.properties.ManagedBy}}" - - set: - source.ip: "{{json_event.message.actor.ipAddress}}" - filter: "{{json_event.message.actor.ipAddress | is_ipaddress}}" - - set: source.mac: "{{json_event.message.properties.WifiMacAddress}}" user.email: "{{json_event.message.properties.UserEmail}}" user.id: "{{json_event.message.properties.IntuneAccountId}}" user.name: "{{json_event.message.properties.UserName or json_event.message.properties.Actor.UPN}}" user.roles: "{{json_event.message.properties.Actor.UserPermissions}}" + + - set: + host.mac: ["{{json_event.message.properties.WifiMacAddress}}"] + filter: "{{json_event.message.properties.WifiMacAddress != null}}" + + - set: + host.name: "{{json_event.message.properties.DeviceName or json_event.message.properties.ManagedDeviceName}}" + filter: "{{final.host.name == null}}" + + - set: + source.ip: "{{json_event.message.actor.ipAddress}}" + filter: "{{json_event.message.actor.ipAddress | is_ipaddress}}" diff --git a/Microsoft/microsoft-intune/tests/Warning1.json b/Microsoft/microsoft-intune/tests/Warning1.json new file mode 100644 index 000000000..2e19b3e0b --- /dev/null +++ b/Microsoft/microsoft-intune/tests/Warning1.json @@ -0,0 +1,15 @@ +{ + "input": { + "message": "{\"time\":\"2025-01-08T13:56:29.0164321Z\",\"resourceId\":\"/TENANTS/XXXXXXX-XXX-XXXXXXX-XXXXX/PROVIDERS/MICROSOFT.AADIAM\",\"operationName\":\"Microsoft Graph Activity\",\"operationVersion\":\"beta\",\"category\":\"MicrosoftGraphActivityLogs\",\"resultSignature\":\"200\",\"durationMs\":\"305512\",\"callerIpAddress\":\"1.2.3.4\",\"correlationId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"level\":\"Informational\",\"location\":\"Central US\",\"properties\":{\"__UDI_RequiredFields_TenantId\":\"XXXXXXX-XXX-XXXXXXX-XXXXX\",\"__UDI_RequiredFields_UniqueId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"__UDI_RequiredFields_EventTime\":638719413890000000,\"__UDI_RequiredFields_RegionScope\":\"NA\",\"timeGenerated\":\"2025-01-08T13:56:29.0164321Z\",\"location\":\"Central US\",\"requestId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"operationId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"clientRequestId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"apiVersion\":\"beta\",\"requestMethod\":\"GET\",\"responseStatusCode\":200,\"tenantId\":\"XXXXXXX-XXX-XXXXXXX-XXXXX\",\"durationMs\":305512,\"responseSizeBytes\":1398,\"signInActivityId\":\"Xxxxxxxxx\",\"roles\":\"Directory.Read.All EduRoster.Read.All EduRoster.ReadWrite.All Group.ReadWrite.All MultiTenantOrganization.Read.All OnlineMeetings.Read.All Organization.Read.All Policy.Read.All ProfilePhoto.Read.All Sites.ReadWrite.All TeamsActivity.Send TeamsAppInstallation.ReadForChat.All TeamsAppInstallation.ReadForTeam.All TeamsAppInstallation.ReadForUser.All User.Invite.All User.Read.All\",\"appId\":\"appxxxxxxxxxxxxxxxxxxxxx\",\"UserPrincipalObjectID\":\"xxxxxxxxxxxxxxx\",\"scopes\":\"\",\"identityProvider\":\"https://sts.windows.net/XXXXXXX-XXX-XXXXXXX-XXXXX/\",\"clientAuthMethod\":\"2\",\"wids\":\"widsxxxxxxxxxxxxx\",\"C_Idtyp\":\"app\",\"C_Iat\":\"1736317474\",\"ipAddress\":\"1.2.3.4\",\"userAgent\":\"TeamsMiddleTier/1.0a$*+\",\"requestUri\":\"https://graph.microsoft.com/beta/XXXXXXX-XXX-XXXXXXX-XXXXX/settings\",\"atContentP\":\"\",\"atContentH\":\"\",\"servicePrincipalId\":\"xxxxxxxxxxxxxxx\",\"tokenIssuedAt\":\"2025-01-08T06:24:34.0000000Z\"},\"tenantId\":\"XXXXXXX-XXX-XXXXXXX-XXXXX\"}" + }, + "expected": { + "message": "{\"time\":\"2025-01-08T13:56:29.0164321Z\",\"resourceId\":\"/TENANTS/XXXXXXX-XXX-XXXXXXX-XXXXX/PROVIDERS/MICROSOFT.AADIAM\",\"operationName\":\"Microsoft Graph Activity\",\"operationVersion\":\"beta\",\"category\":\"MicrosoftGraphActivityLogs\",\"resultSignature\":\"200\",\"durationMs\":\"305512\",\"callerIpAddress\":\"1.2.3.4\",\"correlationId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"level\":\"Informational\",\"location\":\"Central US\",\"properties\":{\"__UDI_RequiredFields_TenantId\":\"XXXXXXX-XXX-XXXXXXX-XXXXX\",\"__UDI_RequiredFields_UniqueId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"__UDI_RequiredFields_EventTime\":638719413890000000,\"__UDI_RequiredFields_RegionScope\":\"NA\",\"timeGenerated\":\"2025-01-08T13:56:29.0164321Z\",\"location\":\"Central US\",\"requestId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"operationId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"clientRequestId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"apiVersion\":\"beta\",\"requestMethod\":\"GET\",\"responseStatusCode\":200,\"tenantId\":\"XXXXXXX-XXX-XXXXXXX-XXXXX\",\"durationMs\":305512,\"responseSizeBytes\":1398,\"signInActivityId\":\"Xxxxxxxxx\",\"roles\":\"Directory.Read.All EduRoster.Read.All EduRoster.ReadWrite.All Group.ReadWrite.All MultiTenantOrganization.Read.All OnlineMeetings.Read.All Organization.Read.All Policy.Read.All ProfilePhoto.Read.All Sites.ReadWrite.All TeamsActivity.Send TeamsAppInstallation.ReadForChat.All TeamsAppInstallation.ReadForTeam.All TeamsAppInstallation.ReadForUser.All User.Invite.All User.Read.All\",\"appId\":\"appxxxxxxxxxxxxxxxxxxxxx\",\"UserPrincipalObjectID\":\"xxxxxxxxxxxxxxx\",\"scopes\":\"\",\"identityProvider\":\"https://sts.windows.net/XXXXXXX-XXX-XXXXXXX-XXXXX/\",\"clientAuthMethod\":\"2\",\"wids\":\"widsxxxxxxxxxxxxx\",\"C_Idtyp\":\"app\",\"C_Iat\":\"1736317474\",\"ipAddress\":\"1.2.3.4\",\"userAgent\":\"TeamsMiddleTier/1.0a$*+\",\"requestUri\":\"https://graph.microsoft.com/beta/XXXXXXX-XXX-XXXXXXX-XXXXX/settings\",\"atContentP\":\"\",\"atContentH\":\"\",\"servicePrincipalId\":\"xxxxxxxxxxxxxxx\",\"tokenIssuedAt\":\"2025-01-08T06:24:34.0000000Z\"},\"tenantId\":\"XXXXXXX-XXX-XXXXXXX-XXXXX\"}", + "sekoiaio": { + "intake": { + "parsing_warnings": [ + "No fields extracted from original event" + ] + } + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-intune/tests/Warning2.json b/Microsoft/microsoft-intune/tests/Warning2.json new file mode 100644 index 000000000..542b2988e --- /dev/null +++ b/Microsoft/microsoft-intune/tests/Warning2.json @@ -0,0 +1,15 @@ +{ + "input": { + "message": "{\"time\":\"2025-01-08T14:00:51.6877532Z\",\"resourceId\":\"/tenants/xxxxx-xxxxx-xxxxxx-xxxxxx/providers/Microsoft.aadiam\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"category\":\"NonInteractiveUserSignInLogs\",\"tenantId\":\"xxxxx-xxxxx-xxxxxx-xxxxxx\",\"resultType\":\"0\",\"resultSignature\":\"None\",\"durationMs\":0,\"callerIpAddress\":\"1.2.3.5\",\"correlationId\":\"000-000-000-012123\",\"identity\":\"Test\",\"Level\":4,\"location\":\"FR\",\"properties\":{\"id\":\"xxx-xxx-xxx-xxx\",\"createdDateTime\":\"2025-01-08T13:59:10.0962652+00:00\",\"userDisplayName\":\"Test\",\"userPrincipalName\":\"test.test@test.com\",\"userId\":\"00000000000-0000-0000-0000-0000000000\",\"appId\":\"00000-0000-0000-0000-00000000000\",\"appDisplayName\":\"Microsoft Edge\",\"ipAddress\":\"1.2.3.5\",\"status\":{\"errorCode\":0},\"clientAppUsed\":\"Mobile Apps and Desktop clients\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045\",\"deviceDetail\":{\"deviceId\":\"deviceid\",\"displayName\":\"ORY2-EUD-D70007\",\"operatingSystem\":\"Windows10\",\"browser\":\"Edge 18.19045\",\"isCompliant\":true,\"isManaged\":true,\"trustType\":\"Hybrid Azure AD joined\"},\"location\":{\"city\":\"Aubervilliers\",\"state\":\"Seine-Saint-Denis\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.91482162475586,\"longitude\":2.3812100887298584}},\"correlationId\":\"000-000-000-012123\",\"conditionalAccessStatus\":\"success\",\"appliedConditionalAccessPolicies\":[{\"id\":\"aacab96d-2e38-4536-8f08-edd1520f9d28\",\"displayName\":\"User Only\",\"enforcedGrantControls\":[\"RequireInWeboMfa\"],\"enforcedSessionControls\":[\"ResiliencyDefaults\"],\"result\":\"success\",\"conditionsSatisfied\":7,\"conditionsNotSatisfied\":0},{\"id\":\"a3d82ad4-3be5-455f-9b76-1223dd4b3e4c\",\"displayName\":\"Admin_Access_Cloud_Apps\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[\"PersistentBrowserSessionMode\"],\"result\":\"notApplied\",\"conditionsSatisfied\":1,\"conditionsNotSatisfied\":2},{\"id\":\"32a2550d-dca7-4363-ae4c-b1210ba3eb15\",\"displayName\":\"Microsoft-managed: Multifactor authentication for admins accessing Microsoft Admin Portals\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"fd313848-6ab9-4443-abb5-e9e603124473\",\"displayName\":\"User Only Mobile\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"c88b0148-fbd1-41e0-a7ba-202237ae4c2e\",\"displayName\":\"SVC-Accounts-MFA-MS\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"98517482-7ec9-4c45-837d-bc0ecd35eeed\",\"displayName\":\"[SharePoint admin center]Use app-enforced Restrictions for browser access - 2024/08/23\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"eafcade5-ed5e-4e4a-9e28-cf29168b5d65\",\"displayName\":\"[SharePoint admin center]Block access from apps on unmanaged devices - 2024/08/27\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"a3f2f310-8ab5-432e-a1d9-1e0580de47b1\",\"displayName\":\"[SharePoint admin center]Use app-enforced Restrictions for browser access - 2024/08/27\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"8e649830-3abb-4bf7-80c5-8e32edfc3ccc\",\"displayName\":\"[SharePoint admin center]Block access from apps on unmanaged devices - 2024/08/27\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"297d9858-e260-4d98-9ce7-b7af3b3d678e\",\"displayName\":\"BlockNonAdminListUsers\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"result\":\"notApplied\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":1},{\"id\":\"46a22b41-d774-4929-aa86-d360ac806bcf\",\"displayName\":\"Require compliant or hybrid Azure AD joined device or multifactor authentication for all users\",\"enforcedGrantControls\":[\"RequireCompliantDevice\"],\"enforcedSessionControls\":[],\"result\":\"reportOnlySuccess\",\"conditionsSatisfied\":3,\"conditionsNotSatisfied\":0}],\"authenticationContextClassReferences\":[],\"originalRequestId\":\"xxx-xxx-xxx-xxx\",\"isInteractive\":false,\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"authenticationProcessingDetails\":[{\"key\":\"Legacy TLS (TLS 1.0, 1.1, 3DES)\",\"value\":\"False\"},{\"key\":\"Oauth Scope Info\",\"value\":\"[\\\"Files.ReadWrite\\\",\\\"Files.ReadWrite.All\\\",\\\"Notes.Create\\\",\\\"Notes.ReadWrite\\\",\\\"Notes.ReadWrite.All\\\",\\\"People.Read\\\",\\\"profile\\\",\\\"User.Read\\\",\\\"User.ReadBasic.All\\\"]\"},{\"key\":\"Is CAE Token\",\"value\":\"False\"}],\"networkLocationDetails\":[{\"networkType\":\"namedNetwork\",\"networkNames\":[\"Everaxis FR\"]},{\"networkType\":\"trustedNamedLocation\",\"networkNames\":[\"Everaxis Internal\"]}],\"clientCredentialType\":\"none\",\"processingTimeInMilliseconds\":94,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"riskEventTypes\":[],\"riskEventTypes_v2\":[],\"resourceDisplayName\":\"Microsoft Graph\",\"resourceId\":\"00000003-0000-0000-c000-000000000000\",\"resourceTenantId\":\"xxxxx-xxxxx-xxxxxx-xxxxxx\",\"homeTenantId\":\"xxxxx-xxxxx-xxxxxx-xxxxxx\",\"tenantId\":\"xxxxx-xxxxx-xxxxxx-xxxxxx\",\"authenticationDetails\":[],\"authenticationRequirementPolicies\":[],\"sessionLifetimePolicies\":[],\"authenticationRequirement\":\"singleFactorAuthentication\",\"servicePrincipalId\":\"\",\"userType\":\"Member\",\"flaggedForReview\":false,\"isTenantRestricted\":false,\"autonomousSystemNumber\":3215,\"crossTenantAccessType\":\"none\",\"privateLinkDetails\":{},\"ssoExtensionVersion\":\"\",\"uniqueTokenIdentifier\":\"uidtokenxxxxxxx\",\"authenticationStrengths\":[],\"incomingTokenType\":\"primaryRefreshToken\",\"authenticationProtocol\":\"none\",\"appServicePrincipalId\":null,\"resourceServicePrincipalId\":\"xxxxx-xxxxx-xxxxx-xxxxx\",\"rngcStatus\":0,\"signInTokenProtectionStatus\":\"none\",\"tokenProtectionStatusDetails\":{\"signInSessionStatus\":\"bound\",\"signInSessionStatusCode\":0},\"originalTransferMethod\":\"none\",\"isThroughGlobalSecureAccess\":false,\"conditionalAccessAudiences\":[{\"applicationId\":\"00000003-0000-0000-0000-000000000000\",\"audienceReasons\":\"none\"},{\"applicationId\":\"0000000000-0000-0000-0000-000000000\",\"audienceReasons\":\"none\"},{\"applicationId\":\"00000002-0000-0000-c000-000000000000\",\"audienceReasons\":\"none\"}],\"sessionId\":\"xxxxx-0000-0000-00000-000000xxxxxx\"}}" + }, + "expected": { + "message": "{\"time\":\"2025-01-08T14:00:51.6877532Z\",\"resourceId\":\"/tenants/xxxxx-xxxxx-xxxxxx-xxxxxx/providers/Microsoft.aadiam\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"category\":\"NonInteractiveUserSignInLogs\",\"tenantId\":\"xxxxx-xxxxx-xxxxxx-xxxxxx\",\"resultType\":\"0\",\"resultSignature\":\"None\",\"durationMs\":0,\"callerIpAddress\":\"1.2.3.5\",\"correlationId\":\"000-000-000-012123\",\"identity\":\"Test\",\"Level\":4,\"location\":\"FR\",\"properties\":{\"id\":\"xxx-xxx-xxx-xxx\",\"createdDateTime\":\"2025-01-08T13:59:10.0962652+00:00\",\"userDisplayName\":\"Test\",\"userPrincipalName\":\"test.test@test.com\",\"userId\":\"00000000000-0000-0000-0000-0000000000\",\"appId\":\"00000-0000-0000-0000-00000000000\",\"appDisplayName\":\"Microsoft Edge\",\"ipAddress\":\"1.2.3.5\",\"status\":{\"errorCode\":0},\"clientAppUsed\":\"Mobile Apps and Desktop clients\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045\",\"deviceDetail\":{\"deviceId\":\"deviceid\",\"displayName\":\"ORY2-EUD-D70007\",\"operatingSystem\":\"Windows10\",\"browser\":\"Edge 18.19045\",\"isCompliant\":true,\"isManaged\":true,\"trustType\":\"Hybrid Azure AD joined\"},\"location\":{\"city\":\"Aubervilliers\",\"state\":\"Seine-Saint-Denis\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.91482162475586,\"longitude\":2.3812100887298584}},\"correlationId\":\"000-000-000-012123\",\"conditionalAccessStatus\":\"success\",\"appliedConditionalAccessPolicies\":[{\"id\":\"aacab96d-2e38-4536-8f08-edd1520f9d28\",\"displayName\":\"User Only\",\"enforcedGrantControls\":[\"RequireInWeboMfa\"],\"enforcedSessionControls\":[\"ResiliencyDefaults\"],\"result\":\"success\",\"conditionsSatisfied\":7,\"conditionsNotSatisfied\":0},{\"id\":\"a3d82ad4-3be5-455f-9b76-1223dd4b3e4c\",\"displayName\":\"Admin_Access_Cloud_Apps\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[\"PersistentBrowserSessionMode\"],\"result\":\"notApplied\",\"conditionsSatisfied\":1,\"conditionsNotSatisfied\":2},{\"id\":\"32a2550d-dca7-4363-ae4c-b1210ba3eb15\",\"displayName\":\"Microsoft-managed: Multifactor authentication for admins accessing Microsoft Admin Portals\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"fd313848-6ab9-4443-abb5-e9e603124473\",\"displayName\":\"User Only Mobile\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"c88b0148-fbd1-41e0-a7ba-202237ae4c2e\",\"displayName\":\"SVC-Accounts-MFA-MS\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"98517482-7ec9-4c45-837d-bc0ecd35eeed\",\"displayName\":\"[SharePoint admin center]Use app-enforced Restrictions for browser access - 2024/08/23\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"eafcade5-ed5e-4e4a-9e28-cf29168b5d65\",\"displayName\":\"[SharePoint admin center]Block access from apps on unmanaged devices - 2024/08/27\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"a3f2f310-8ab5-432e-a1d9-1e0580de47b1\",\"displayName\":\"[SharePoint admin center]Use app-enforced Restrictions for browser access - 2024/08/27\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"8e649830-3abb-4bf7-80c5-8e32edfc3ccc\",\"displayName\":\"[SharePoint admin center]Block access from apps on unmanaged devices - 2024/08/27\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"297d9858-e260-4d98-9ce7-b7af3b3d678e\",\"displayName\":\"BlockNonAdminListUsers\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"result\":\"notApplied\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":1},{\"id\":\"46a22b41-d774-4929-aa86-d360ac806bcf\",\"displayName\":\"Require compliant or hybrid Azure AD joined device or multifactor authentication for all users\",\"enforcedGrantControls\":[\"RequireCompliantDevice\"],\"enforcedSessionControls\":[],\"result\":\"reportOnlySuccess\",\"conditionsSatisfied\":3,\"conditionsNotSatisfied\":0}],\"authenticationContextClassReferences\":[],\"originalRequestId\":\"xxx-xxx-xxx-xxx\",\"isInteractive\":false,\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"authenticationProcessingDetails\":[{\"key\":\"Legacy TLS (TLS 1.0, 1.1, 3DES)\",\"value\":\"False\"},{\"key\":\"Oauth Scope Info\",\"value\":\"[\\\"Files.ReadWrite\\\",\\\"Files.ReadWrite.All\\\",\\\"Notes.Create\\\",\\\"Notes.ReadWrite\\\",\\\"Notes.ReadWrite.All\\\",\\\"People.Read\\\",\\\"profile\\\",\\\"User.Read\\\",\\\"User.ReadBasic.All\\\"]\"},{\"key\":\"Is CAE Token\",\"value\":\"False\"}],\"networkLocationDetails\":[{\"networkType\":\"namedNetwork\",\"networkNames\":[\"Everaxis FR\"]},{\"networkType\":\"trustedNamedLocation\",\"networkNames\":[\"Everaxis Internal\"]}],\"clientCredentialType\":\"none\",\"processingTimeInMilliseconds\":94,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"riskEventTypes\":[],\"riskEventTypes_v2\":[],\"resourceDisplayName\":\"Microsoft Graph\",\"resourceId\":\"00000003-0000-0000-c000-000000000000\",\"resourceTenantId\":\"xxxxx-xxxxx-xxxxxx-xxxxxx\",\"homeTenantId\":\"xxxxx-xxxxx-xxxxxx-xxxxxx\",\"tenantId\":\"xxxxx-xxxxx-xxxxxx-xxxxxx\",\"authenticationDetails\":[],\"authenticationRequirementPolicies\":[],\"sessionLifetimePolicies\":[],\"authenticationRequirement\":\"singleFactorAuthentication\",\"servicePrincipalId\":\"\",\"userType\":\"Member\",\"flaggedForReview\":false,\"isTenantRestricted\":false,\"autonomousSystemNumber\":3215,\"crossTenantAccessType\":\"none\",\"privateLinkDetails\":{},\"ssoExtensionVersion\":\"\",\"uniqueTokenIdentifier\":\"uidtokenxxxxxxx\",\"authenticationStrengths\":[],\"incomingTokenType\":\"primaryRefreshToken\",\"authenticationProtocol\":\"none\",\"appServicePrincipalId\":null,\"resourceServicePrincipalId\":\"xxxxx-xxxxx-xxxxx-xxxxx\",\"rngcStatus\":0,\"signInTokenProtectionStatus\":\"none\",\"tokenProtectionStatusDetails\":{\"signInSessionStatus\":\"bound\",\"signInSessionStatusCode\":0},\"originalTransferMethod\":\"none\",\"isThroughGlobalSecureAccess\":false,\"conditionalAccessAudiences\":[{\"applicationId\":\"00000003-0000-0000-0000-000000000000\",\"audienceReasons\":\"none\"},{\"applicationId\":\"0000000000-0000-0000-0000-000000000\",\"audienceReasons\":\"none\"},{\"applicationId\":\"00000002-0000-0000-c000-000000000000\",\"audienceReasons\":\"none\"}],\"sessionId\":\"xxxxx-0000-0000-00000-000000xxxxxx\"}}", + "sekoiaio": { + "intake": { + "parsing_warnings": [ + "No fields extracted from original event" + ] + } + } + } +} \ No newline at end of file