{"authorization": {"action": "Microsoft.Automation/automationAccounts/runbooks/write", "scope": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook"}, "caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/ad251139-d600-4f45-a8ba-9f6ca1e5a93d/", "iat": "1661194261", "nbf": "1661194261", "exp": "1661198249", "http://schemas.microsoft.com/claims/authnclassreference": "1", "aio": "AWQAm/8TAAAA3iMcbqqPPdXPATT7oalIKsh6wEFsyQ+zUVCshaLu77xsLlt067TtI11gy5hAx+z905hrX1VBehDGaedvEg2UF0BSbHVL9bJrry4zk3Xt+HNt5dTXDDgABOFuNB4QJBUW", "altsecid": "1:live.com:000161008492EF5F", "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd,mfa", "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appidacr": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "evilAdmin@contoso.com", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Doe", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John", "groups": "ecb1fc87-1938-45ff-aaf3-661cee183b11", "http://schemas.microsoft.com/identity/claims/identityprovider": "live.com", "ipaddr": "190.0.0.1", "name": "John Doe", "http://schemas.microsoft.com/identity/claims/objectidentifier": "74b87c49-c202-4101-a8aa-ef18ecc815e8", "puid": "1003200203ECE231", "rh": "0.AX0AORElrQDWRU-oup9soeWpPUZIf3kAutdPukPawfj2MBOaAIM.", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "VVjyH6MJP7pqXTBGCn4NMckGNjX-aYB_Oh7LcI9kaDw", "http://schemas.microsoft.com/identity/claims/tenantid": "ad251139-d600-4f45-a8ba-9f6ca1e5a93d", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "contoso.com#evilAdmin@contoso.com", "uti": "YMAP5fOmMkuuBUgBe-Z5AA", "ver": "1.0", "wids": "62e90394-69f5-4237-9190-012177145e10", "xms_tcdt": "1654791641"}, "correlationId": "49b945c0-966a-48d8-b79b-31f184544594", "description": "", "eventDataId": "2d98e7a7-d340-474c-bb58-07a44018e1bb", "eventName": {"value": "BeginRequest", "localizedValue": "Begin request"}, "eventSource": {"value": "Administrative", "localizedValue": "Administrative"}, "httpRequest": {"clientRequestId": "0431e78f-3593-4c9a-9906-bf719e2ba020", "clientIpAddress": "190.0.0.1", "method": "PUT"}, "id": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook/events/2d98e7a7-d340-474c-bb58-07a44018e1bb/ticks/637967914513608124", "level": "Informational", "resourceGroupName": "resourceGroup1", "resourceProviderName": {"value": "Microsoft.Automation", "localizedValue": "Microsoft.Automation"}, "resourceUri": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook", "operationId": "5adef72a-711e-4c8d-8d53-815860495dbd", "operationName": {"value": "Microsoft.Automation/automationAccounts/runbooks/write", "localizedValue": "Create or Update an Azure Automation Runbook"}, "properties": {"eventCategory": "Administrative", "entity": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook", "message": "Microsoft.Automation/automationAccounts/runbooks/write", "hierarchy": "1aee0e3d-b75b-440a-a927-76f0552a14e6"}, "status": {"value": "Started", "localizedValue": "Started"}, "subStatus": {"value": "", "localizedValue": ""}, "eventTimestamp": "2022-08-22T18:57:31.3608124Z", "submissionTimestamp": "2022-08-22T18:58:43.2076774Z", "subscriptionId": "1aee0e3d-b75b-440a-a927-76f0552a14e6"} {"authorization": {"action": "Microsoft.Automation/automationAccounts/runbooks/write", "scope": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook"}, "caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/ad251139-d600-4f45-a8ba-9f6ca1e5a93d/", "iat": "1661194261", "nbf": "1661194261", "exp": "1661198249", "http://schemas.microsoft.com/claims/authnclassreference": "1", "aio": "AWQAm/8TAAAA3iMcbqqPPdXPATT7oalIKsh6wEFsyQ+zUVCshaLu77xsLlt067TtI11gy5hAx+z905hrX1VBehDGaedvEg2UF0BSbHVL9bJrry4zk3Xt+HNt5dTXDDgABOFuNB4QJBUW", "altsecid": "1:live.com:000161008492EF5F", "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd,mfa", "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appidacr": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "evilAdmin@contoso.com", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Doe", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John", "groups": "ecb1fc87-1938-45ff-aaf3-661cee183b11", "http://schemas.microsoft.com/identity/claims/identityprovider": "live.com", "ipaddr": "190.0.0.1", "name": "John Doe", "http://schemas.microsoft.com/identity/claims/objectidentifier": "74b87c49-c202-4101-a8aa-ef18ecc815e8", "puid": "1003200203ECE231", "rh": "0.AX0AORElrQDWRU-oup9soeWpPUZIf3kAutdPukPawfj2MBOaAIM.", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "VVjyH6MJP7pqXTBGCn4NMckGNjX-aYB_Oh7LcI9kaDw", "http://schemas.microsoft.com/identity/claims/tenantid": "ad251139-d600-4f45-a8ba-9f6ca1e5a93d", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "contoso.com#evilAdmin@contoso.com", "uti": "YMAP5fOmMkuuBUgBe-Z5AA", "ver": "1.0", "wids": "62e90394-69f5-4237-9190-012177145e10", "xms_tcdt": "1654791641"}, "correlationId": "49b945c0-966a-48d8-b79b-31f184544594", "description": "", "eventDataId": "0f92c7ed-bc77-42c4-af80-368b21212c22", "eventName": {"value": "EndRequest", "localizedValue": "End request"}, "eventSource": {"value": "Administrative", "localizedValue": "Administrative"}, "httpRequest": {"clientRequestId": "0431e78f-3593-4c9a-9906-bf719e2ba020", "clientIpAddress": "190.0.0.1", "method": "PUT"}, "id": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook/events/0f92c7ed-bc77-42c4-af80-368b21212c22/ticks/637967914523139532", "level": "Informational", "resourceGroupName": "resourceGroup1", "resourceProviderName": {"value": "Microsoft.Automation", "localizedValue": "Microsoft.Automation"}, "resourceUri": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook", "operationId": "5adef72a-711e-4c8d-8d53-815860495dbd", "operationName": {"value": "Microsoft.Automation/automationAccounts/runbooks/write", "localizedValue": "Create or Update an Azure Automation Runbook"}, "properties": {"statusCode": "Created", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook", "message": "Microsoft.Automation/automationAccounts/runbooks/write", "hierarchy": "1aee0e3d-b75b-440a-a927-76f0552a14e6"}, "status": {"value": "Succeeded", "localizedValue": "Succeeded"}, "subStatus": {"value": "Created", "localizedValue": "Created (HTTP Status Code: 201)"}, "eventTimestamp": "2022-08-22T18:57:32.3139532Z", "submissionTimestamp": "2022-08-22T18:58:43.2076774Z", "subscriptionId": "1aee0e3d-b75b-440a-a927-76f0552a14e6"} {"authorization": {"action": "Microsoft.Automation/automationAccounts/runbooks/draft/write", "scope": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook/draft/content"}, "caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/ad251139-d600-4f45-a8ba-9f6ca1e5a93d/", "iat": "1661194261", "nbf": "1661194261", "exp": "1661198249", "http://schemas.microsoft.com/claims/authnclassreference": "1", "aio": "AWQAm/8TAAAA3iMcbqqPPdXPATT7oalIKsh6wEFsyQ+zUVCshaLu77xsLlt067TtI11gy5hAx+z905hrX1VBehDGaedvEg2UF0BSbHVL9bJrry4zk3Xt+HNt5dTXDDgABOFuNB4QJBUW", "altsecid": "1:live.com:000161008492EF5F", "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd,mfa", "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appidacr": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "evilAdmin@contoso.com", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Doe", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John", "groups": "ecb1fc87-1938-45ff-aaf3-661cee183b11", "http://schemas.microsoft.com/identity/claims/identityprovider": "live.com", "ipaddr": "190.0.0.1", "name": "John Doe", "http://schemas.microsoft.com/identity/claims/objectidentifier": "74b87c49-c202-4101-a8aa-ef18ecc815e8", "puid": "1003200203ECE231", "rh": "0.AX0AORElrQDWRU-oup9soeWpPUZIf3kAutdPukPawfj2MBOaAIM.", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "VVjyH6MJP7pqXTBGCn4NMckGNjX-aYB_Oh7LcI9kaDw", "http://schemas.microsoft.com/identity/claims/tenantid": "ad251139-d600-4f45-a8ba-9f6ca1e5a93d", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "contoso.com#evilAdmin@contoso.com", "uti": "YMAP5fOmMkuuBUgBe-Z5AA", "ver": "1.0", "wids": "62e90394-69f5-4237-9190-012177145e10", "xms_tcdt": "1654791641"}, "correlationId": "33222fe2-e813-45e4-8d9b-eaff6d1efa03", "description": "", "eventDataId": "9f30d336-f3de-4e3b-a2a1-6da020f3c08f", "eventName": {"value": "BeginRequest", "localizedValue": "Begin request"}, "eventSource": {"value": "Administrative", "localizedValue": "Administrative"}, "httpRequest": {"clientRequestId": "0431e78f-3593-4c9a-9906-bf719e2ba021", "clientIpAddress": "190.0.0.1", "method": "PUT"}, "id": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook/draft/content/events/9f30d336-f3de-4e3b-a2a1-6da020f3c08f/ticks/637967914524098127", "level": "Informational", "resourceGroupName": "resourceGroup1", "resourceProviderName": {"value": "Microsoft.Automation", "localizedValue": "Microsoft.Automation"}, "resourceUri": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook/draft/content", "operationId": "33222fe2-e813-45e4-8d9b-eaff6d1efa03", "operationName": {"value": "Microsoft.Automation/automationAccounts/runbooks/draft/write", "localizedValue": "Write an Azure Automation runbook draft"}, "properties": {"eventCategory": "Administrative", "entity": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook/draft/content", "message": "Microsoft.Automation/automationAccounts/runbooks/draft/write", "hierarchy": "1aee0e3d-b75b-440a-a927-76f0552a14e6"}, "status": {"value": "Started", "localizedValue": "Started"}, "subStatus": {"value": "", "localizedValue": ""}, "eventTimestamp": "2022-08-22T18:57:32.4098127Z", "submissionTimestamp": "2022-08-22T18:58:37.1684494Z", "subscriptionId": "1aee0e3d-b75b-440a-a927-76f0552a14e6"} {"authorization": {"action": "Microsoft.Automation/automationAccounts/runbooks/draft/write", "scope": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook/draft/content"}, "caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/ad251139-d600-4f45-a8ba-9f6ca1e5a93d/", "iat": "1661194261", "nbf": "1661194261", "exp": "1661198249", "http://schemas.microsoft.com/claims/authnclassreference": "1", "aio": "AWQAm/8TAAAA3iMcbqqPPdXPATT7oalIKsh6wEFsyQ+zUVCshaLu77xsLlt067TtI11gy5hAx+z905hrX1VBehDGaedvEg2UF0BSbHVL9bJrry4zk3Xt+HNt5dTXDDgABOFuNB4QJBUW", "altsecid": "1:live.com:000161008492EF5F", "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd,mfa", "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appidacr": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "evilAdmin@contoso.com", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Doe", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John", "groups": "ecb1fc87-1938-45ff-aaf3-661cee183b11", "http://schemas.microsoft.com/identity/claims/identityprovider": "live.com", "ipaddr": "190.0.0.1", "name": "John Doe", "http://schemas.microsoft.com/identity/claims/objectidentifier": "74b87c49-c202-4101-a8aa-ef18ecc815e8", "puid": "1003200203ECE231", "rh": "0.AX0AORElrQDWRU-oup9soeWpPUZIf3kAutdPukPawfj2MBOaAIM.", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "VVjyH6MJP7pqXTBGCn4NMckGNjX-aYB_Oh7LcI9kaDw", "http://schemas.microsoft.com/identity/claims/tenantid": "ad251139-d600-4f45-a8ba-9f6ca1e5a93d", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "contoso.com#evilAdmin@contoso.com", "uti": "YMAP5fOmMkuuBUgBe-Z5AA", "ver": "1.0", "wids": "62e90394-69f5-4237-9190-012177145e10", "xms_tcdt": "1654791641"}, "correlationId": "33222fe2-e813-45e4-8d9b-eaff6d1efa03", "description": "", "eventDataId": "0761a772-f2a7-47fe-821c-c7e39ff7a504", "eventName": {"value": "EndRequest", "localizedValue": "End request"}, "eventSource": {"value": "Administrative", "localizedValue": "Administrative"}, "httpRequest": {"clientRequestId": "0431e78f-3593-4c9a-9906-bf719e2ba021", "clientIpAddress": "190.0.0.1", "method": "PUT"}, "id": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook/draft/content/events/0761a772-f2a7-47fe-821c-c7e39ff7a504/ticks/637967914526754498", "level": "Informational", "resourceGroupName": "resourceGroup1", "resourceProviderName": {"value": "Microsoft.Automation", "localizedValue": "Microsoft.Automation"}, "resourceUri": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook/draft/content", "operationId": "33222fe2-e813-45e4-8d9b-eaff6d1efa03", "operationName": {"value": "Microsoft.Automation/automationAccounts/runbooks/draft/write", "localizedValue": "Write an Azure Automation runbook draft"}, "properties": {"statusCode": "Accepted", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook/draft/content", "message": "Microsoft.Automation/automationAccounts/runbooks/draft/write", "hierarchy": "1aee0e3d-b75b-440a-a927-76f0552a14e6"}, "status": {"value": "Accepted", "localizedValue": "Accepted"}, "subStatus": {"value": "Accepted", "localizedValue": "Accepted (HTTP Status Code: 202)"}, "eventTimestamp": "2022-08-22T18:57:32.6754498Z", "submissionTimestamp": "2022-08-22T18:58:37.1694478Z", "subscriptionId": "1aee0e3d-b75b-440a-a927-76f0552a14e6"} {"authorization": {"action": "Microsoft.Automation/automationAccounts/runbooks/draft/write", "scope": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook/draft/content"}, "caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/ad251139-d600-4f45-a8ba-9f6ca1e5a93d/", "iat": "1661194261", "nbf": "1661194261", "exp": "1661198249", "http://schemas.microsoft.com/claims/authnclassreference": "1", "aio": "AWQAm/8TAAAA3iMcbqqPPdXPATT7oalIKsh6wEFsyQ+zUVCshaLu77xsLlt067TtI11gy5hAx+z905hrX1VBehDGaedvEg2UF0BSbHVL9bJrry4zk3Xt+HNt5dTXDDgABOFuNB4QJBUW", "altsecid": "1:live.com:000161008492EF5F", "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd,mfa", "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appidacr": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "evilAdmin@contoso.com", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Doe", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John", "groups": "ecb1fc87-1938-45ff-aaf3-661cee183b11", "http://schemas.microsoft.com/identity/claims/identityprovider": "live.com", "ipaddr": "190.0.0.1", "name": "John Doe", "http://schemas.microsoft.com/identity/claims/objectidentifier": "74b87c49-c202-4101-a8aa-ef18ecc815e8", "puid": "1003200203ECE231", "rh": "0.AX0AORElrQDWRU-oup9soeWpPUZIf3kAutdPukPawfj2MBOaAIM.", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "VVjyH6MJP7pqXTBGCn4NMckGNjX-aYB_Oh7LcI9kaDw", "http://schemas.microsoft.com/identity/claims/tenantid": "ad251139-d600-4f45-a8ba-9f6ca1e5a93d", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "contoso.com#evilAdmin@contoso.com", "uti": "YMAP5fOmMkuuBUgBe-Z5AA", "ver": "1.0", "wids": "62e90394-69f5-4237-9190-012177145e10", "xms_tcdt": "1654791641"}, "correlationId": "33222fe2-e813-45e4-8d9b-eaff6d1efa03", "description": "", "eventDataId": "3f4399c9-0738-4c28-bc2d-60f5465cce8e", "eventName": {"value": "EndRequest", "localizedValue": "End request"}, "eventSource": {"value": "Administrative", "localizedValue": "Administrative"}, "id": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook/draft/content/events/3f4399c9-0738-4c28-bc2d-60f5465cce8e/ticks/637967914588069682", "level": "Informational", "resourceGroupName": "resourceGroup1", "resourceProviderName": {"value": "Microsoft.Automation", "localizedValue": "Microsoft.Automation"}, "resourceUri": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook/draft/content", "operationId": "8efc9f9a-14ce-4e62-beef-250797a12cfe", "operationName": {"value": "Microsoft.Automation/automationAccounts/runbooks/draft/write", "localizedValue": "Write an Azure Automation runbook draft"}, "properties": {"eventCategory": "Administrative", "entity": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook/draft/content", "message": "Microsoft.Automation/automationAccounts/runbooks/draft/write", "hierarchy": "1aee0e3d-b75b-440a-a927-76f0552a14e6"}, "status": {"value": "Succeeded", "localizedValue": "Succeeded"}, "subStatus": {"value": "", "localizedValue": ""}, "eventTimestamp": "2022-08-22T18:57:38.8069682Z", "submissionTimestamp": "2022-08-22T18:58:27.1490911Z", "subscriptionId": "1aee0e3d-b75b-440a-a927-76f0552a14e6"} {"authorization": {"action": "Microsoft.Automation/automationAccounts/runbooks/write", "scope": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook"}, "caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/ad251139-d600-4f45-a8ba-9f6ca1e5a93d/", "iat": "1661194261", "nbf": "1661194261", "exp": "1661198249", "http://schemas.microsoft.com/claims/authnclassreference": "1", "aio": "AWQAm/8TAAAA3iMcbqqPPdXPATT7oalIKsh6wEFsyQ+zUVCshaLu77xsLlt067TtI11gy5hAx+z905hrX1VBehDGaedvEg2UF0BSbHVL9bJrry4zk3Xt+HNt5dTXDDgABOFuNB4QJBUW", "altsecid": "1:live.com:000161008492EF5F", "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd,mfa", "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appidacr": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "evilAdmin@contoso.com", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Doe", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John", "groups": "ecb1fc87-1938-45ff-aaf3-661cee183b11", "http://schemas.microsoft.com/identity/claims/identityprovider": "live.com", "ipaddr": "190.0.0.1", "name": "John Doe", "http://schemas.microsoft.com/identity/claims/objectidentifier": "74b87c49-c202-4101-a8aa-ef18ecc815e8", "puid": "1003200203ECE231", "rh": "0.AX0AORElrQDWRU-oup9soeWpPUZIf3kAutdPukPawfj2MBOaAIM.", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "VVjyH6MJP7pqXTBGCn4NMckGNjX-aYB_Oh7LcI9kaDw", "http://schemas.microsoft.com/identity/claims/tenantid": "ad251139-d600-4f45-a8ba-9f6ca1e5a93d", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "contoso.com#evilAdmin@contoso.com", "uti": "YMAP5fOmMkuuBUgBe-Z5AA", "ver": "1.0", "wids": "62e90394-69f5-4237-9190-012177145e10", "xms_tcdt": "1654791641"}, "correlationId": "49b945c0-966a-48d8-b79b-31f184544594", "description": "", "eventDataId": "303f17eb-10cb-458f-8a80-683f40f123a2", "eventName": {"value": "EndRequest", "localizedValue": "End request"}, "eventSource": {"value": "Administrative", "localizedValue": "Administrative"}, "id": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourcegroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook/events/303f17eb-10cb-458f-8a80-683f40f123a2/ticks/637967920541346086", "level": "Informational", "resourceGroupName": "resourceGroup1", "resourceProviderName": {"value": "Microsoft.Automation", "localizedValue": "Microsoft.Automation"}, "resourceUri": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourcegroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook", "operationId": "b6e30ace-986c-4735-980f-926db0b43336", "operationName": {"value": "Microsoft.Automation/automationAccounts/runbooks/write", "localizedValue": "Create or Update an Azure Automation Runbook"}, "properties": {"eventCategory": "Administrative", "entity": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourcegroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook", "message": "Microsoft.Automation/automationAccounts/runbooks/write", "hierarchy": "1aee0e3d-b75b-440a-a927-76f0552a14e6"}, "status": {"value": "Succeeded", "localizedValue": "Succeeded"}, "subStatus": {"value": "", "localizedValue": ""}, "eventTimestamp": "2022-08-22T19:07:34.1346086Z", "submissionTimestamp": "2022-08-22T19:08:54.1547383Z", "subscriptionId": "1aee0e3d-b75b-440a-a927-76f0552a14e6"}