{"id": "a627eda3-f254-471c-a1a2-6c72b3ef2d00", "createdDateTime": "2023-10-24T20:01:22Z", "userDisplayName": "victim", "userPrincipalName": "victim@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "00000002-0000-0ff1-ce00-000000000000", "appDisplayName": "Office 365 Exchange Online", "ipAddress": "1.2.3.4", "clientAppUsed": "Browser", "correlationId": "dd5aaf20-53c0-031e-b523-b26c7d82e7e2", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Online", "resourceId": "00000002-0000-0ff1-ce00-000000000000", "status": {"errorCode": 50074, "failureReason": "Strong Authentication is required.", "additionalDetails": "User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others."}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "WindowsPhone", "browser": "Android 4.0", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "Miami", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": 10.23424, "longitude": -73.99698}}, "appliedConditionalAccessPolicies": []}
{"id": "835515be-e52c-4481-897d-eac80de63a00", "createdDateTime": "2023-10-24T20:01:20Z", "userDisplayName": "victim", "userPrincipalName": "victim@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "00000002-0000-0ff1-ce00-000000000000", "appDisplayName": "Office 365 Exchange Online", "ipAddress": "1.2.3.4", "clientAppUsed": "Browser", "correlationId": "c49b1575-9797-33f5-3c89-ab1c13435fe3", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Online", "resourceId": "00000002-0000-0ff1-ce00-000000000000", "status": {"errorCode": 50074, "failureReason": "Strong Authentication is required.", "additionalDetails": "User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others."}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "Ios", "browser": "Mobile Safari 12.1", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "Miami", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": 10.23424, "longitude": -73.99698}}, "appliedConditionalAccessPolicies": []}
{"id": "c9cc5a0e-e8ce-403b-ab8d-53577f632f00", "createdDateTime": "2023-10-24T20:01:18Z", "userDisplayName": "victim", "userPrincipalName": "victim@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "00000002-0000-0ff1-ce00-000000000000", "appDisplayName": "Office 365 Exchange Online", "ipAddress": "1.2.3.4", "clientAppUsed": "Browser", "correlationId": "be59db3e-de3d-8122-9582-f28aaacc505f", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Online", "resourceId": "00000002-0000-0ff1-ce00-000000000000", "status": {"errorCode": 50074, "failureReason": "Strong Authentication is required.", "additionalDetails": "User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others."}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "Android", "browser": "Chrome Mobile 85.0.4183", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "Miami", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": 10.23424, "longitude": -73.99698}}, "appliedConditionalAccessPolicies": []}
{"id": "9b0971c1-e17c-46e5-b69c-5a85445a2300", "createdDateTime": "2023-10-24T20:01:16Z", "userDisplayName": "victim", "userPrincipalName": "victim@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "00000002-0000-0ff1-ce00-000000000000", "appDisplayName": "Office 365 Exchange Online", "ipAddress": "1.2.3.4", "clientAppUsed": "Browser", "correlationId": "1451f887-74ab-3087-d834-0add56148648", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Online", "resourceId": "00000002-0000-0ff1-ce00-000000000000", "status": {"errorCode": 50074, "failureReason": "Strong Authentication is required.", "additionalDetails": "User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others."}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Safari 11.1.2", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "Miami", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": 10.23424, "longitude": -73.99698}}, "appliedConditionalAccessPolicies": []}
{"id": "a6511370-6064-46a5-b74f-efecf3e53500", "createdDateTime": "2023-10-24T20:01:15Z", "userDisplayName": "victim", "userPrincipalName": "victim@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "00000002-0000-0ff1-ce00-000000000000", "appDisplayName": "Office 365 Exchange Online", "ipAddress": "1.2.3.4", "clientAppUsed": "Browser", "correlationId": "f2b4f1e7-42ea-e7d0-1c2d-4757aae1b614", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Online", "resourceId": "00000002-0000-0ff1-ce00-000000000000", "status": {"errorCode": 50074, "failureReason": "Strong Authentication is required.", "additionalDetails": "User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others."}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "Linux", "browser": "Firefox 24.0", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "Miami", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": 10.23424, "longitude": -73.99698}}, "appliedConditionalAccessPolicies": []}
{"id": "42a77f92-edc3-420b-b2d1-d1a72f333200", "createdDateTime": "2023-10-24T20:01:13Z", "userDisplayName": "victim", "userPrincipalName": "victim@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "00000002-0000-0ff1-ce00-000000000000", "appDisplayName": "Office 365 Exchange Online", "ipAddress": "1.2.3.4", "clientAppUsed": "Browser", "correlationId": "83b17275-b33d-7e00-fc79-4fbf5242d3ed", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Online", "resourceId": "00000002-0000-0ff1-ce00-000000000000", "status": {"errorCode": 50074, "failureReason": "Strong Authentication is required.", "additionalDetails": "User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others."}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "Windows10", "browser": "Edge 107.0.1418", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "Miami", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": 10.23424, "longitude": -73.99698}}, "appliedConditionalAccessPolicies": []}
{"id": "90078e70-c661-4ce4-ab28-ec84e6453700", "createdDateTime": "2023-10-24T20:01:12Z", "userDisplayName": "victim", "userPrincipalName": "victim@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "1950a258-227b-4e31-a9cf-717495945fc2", "appDisplayName": "Microsoft Azure PowerShell", "ipAddress": "1.2.3.4", "clientAppUsed": "Mobile Apps and Desktop clients", "correlationId": "a531d29a-80d7-4a8c-9017-80f36c33d089", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "status": {"errorCode": 50076, "failureReason": "Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '{resource}'.", "additionalDetails": "User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others."}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "Windows", "browser": "", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "Miami", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": 10.23424, "longitude": -73.99698}}, "appliedConditionalAccessPolicies": []}
{"id": "22608a25-1d9b-44b5-b0f2-cb94f06b2d00", "createdDateTime": "2023-10-24T20:01:11Z", "userDisplayName": "victim", "userPrincipalName": "victim@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "1b730954-1685-4b74-9bfd-dac224a7b894", "appDisplayName": "Azure Active Directory PowerShell", "ipAddress": "1.2.3.4", "clientAppUsed": "Mobile Apps and Desktop clients", "correlationId": "1f577997-0710-4bd4-848e-5854f748f7dc", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "status": {"errorCode": 50076, "failureReason": "Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '{resource}'.", "additionalDetails": "User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others."}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "Windows", "browser": "", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "Miami", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": 10.23424, "longitude": -73.99698}}, "appliedConditionalAccessPolicies": []}
{"CreationTime": "2023-10-24T20:01:22", "Id": "3d84adce-5ff0-4a21-bfe8-08e694173200", "Operation": "UserLoginFailed", "OrganizationId": "b5269786-a614-478e-adf8-c54ae3769109", "RecordType": 15, "ResultStatus": "Success", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "1.2.3.4", "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "UserId": "victim@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Mobile; Windows Phone 8.1; Android 4.0; ARM; Trident/7.0; Touch; rv:11.0; IEMobile/11.0; NOKIA; Lumia 635) like iPhone OS 7_0_3 Mac OS X AppleWebKit/537 (KHTML, like Gecko) Mobile Safari/537"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}], "ModifiedProperties": [], "Actor": [{"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 0}, {"ID": "victim@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ActorIpAddress": "1.2.3.4", "InterSystemsId": "dd5aaf20-53c0-031e-b523-b26c7d82e7e2", "IntraSystemId": "3d84adce-5ff0-4a21-bfe8-08e694173200", "SupportTicketId": "", "Target": [{"ID": "00000002-0000-0ff1-ce00-000000000000", "Type": 0}], "TargetContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "DeviceProperties": [{"Name": "OS", "Value": "WindowsPhone"}, {"Name": "BrowserType", "Value": "IE"}, {"Name": "IsCompliantAndManaged", "Value": "False"}, {"Name": "SessionId", "Value": "691d3138-41e6-493a-8136-7113771ce0fb"}], "ErrorNumber": "50074", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt"}
{"CreationTime": "2023-10-24T20:01:22", "Id": "3d84adce-5ff0-4a21-bfe8-08e694173200", "Operation": "UserLoginFailed", "OrganizationId": "b5269786-a614-478e-adf8-c54ae3769109", "RecordType": 15, "ResultStatus": "Success", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "1.2.3.4", "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "UserId": "victim@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Mobile; Windows Phone 8.1; Android 4.0; ARM; Trident/7.0; Touch; rv:11.0; IEMobile/11.0; NOKIA; Lumia 635) like iPhone OS 7_0_3 Mac OS X AppleWebKit/537 (KHTML, like Gecko) Mobile Safari/537"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}], "ModifiedProperties": [], "Actor": [{"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 0}, {"ID": "victim@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ActorIpAddress": "1.2.3.4", "InterSystemsId": "dd5aaf20-53c0-031e-b523-b26c7d82e7e2", "IntraSystemId": "3d84adce-5ff0-4a21-bfe8-08e694173200", "SupportTicketId": "", "Target": [{"ID": "00000002-0000-0ff1-ce00-000000000000", "Type": 0}], "TargetContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "DeviceProperties": [{"Name": "OS", "Value": "WindowsPhone"}, {"Name": "BrowserType", "Value": "IE"}, {"Name": "IsCompliantAndManaged", "Value": "False"}, {"Name": "SessionId", "Value": "691d3138-41e6-493a-8136-7113771ce0fb"}], "ErrorNumber": "50074", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt"}
{"CreationTime": "2023-10-24T20:01:20", "Id": "90078e70-c661-4ce4-ab28-ec84a7483700", "Operation": "UserLoginFailed", "OrganizationId": "b5269786-a614-478e-adf8-c54ae3769109", "RecordType": 15, "ResultStatus": "Success", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "1.2.3.4", "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "UserId": "victim@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Mobile/15E148 Safari/604.1"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}], "ModifiedProperties": [], "Actor": [{"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 0}, {"ID": "victim@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ActorIpAddress": "1.2.3.4", "InterSystemsId": "c49b1575-9797-33f5-3c89-ab1c13435fe3", "IntraSystemId": "90078e70-c661-4ce4-ab28-ec84a7483700", "SupportTicketId": "", "Target": [{"ID": "00000002-0000-0ff1-ce00-000000000000", "Type": 0}], "TargetContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "DeviceProperties": [{"Name": "OS", "Value": "Ios"}, {"Name": "BrowserType", "Value": "Safari"}, {"Name": "IsCompliantAndManaged", "Value": "False"}, {"Name": "SessionId", "Value": "65b8bdf1-a475-48e5-a357-36a35da33c7f"}], "ErrorNumber": "50074", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt"}
{"CreationTime": "2023-10-24T20:01:20", "Id": "90078e70-c661-4ce4-ab28-ec84a7483700", "Operation": "UserLoginFailed", "OrganizationId": "b5269786-a614-478e-adf8-c54ae3769109", "RecordType": 15, "ResultStatus": "Success", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "1.2.3.4", "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "UserId": "victim@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Mobile/15E148 Safari/604.1"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}], "ModifiedProperties": [], "Actor": [{"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 0}, {"ID": "victim@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ActorIpAddress": "1.2.3.4", "InterSystemsId": "c49b1575-9797-33f5-3c89-ab1c13435fe3", "IntraSystemId": "90078e70-c661-4ce4-ab28-ec84a7483700", "SupportTicketId": "", "Target": [{"ID": "00000002-0000-0ff1-ce00-000000000000", "Type": 0}], "TargetContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "DeviceProperties": [{"Name": "OS", "Value": "Ios"}, {"Name": "BrowserType", "Value": "Safari"}, {"Name": "IsCompliantAndManaged", "Value": "False"}, {"Name": "SessionId", "Value": "65b8bdf1-a475-48e5-a357-36a35da33c7f"}], "ErrorNumber": "50074", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt"}
{"CreationTime": "2023-10-24T20:01:18", "Id": "3d84adce-5ff0-4a21-bfe8-08e6b9163200", "Operation": "UserLoginFailed", "OrganizationId": "b5269786-a614-478e-adf8-c54ae3769109", "RecordType": 15, "ResultStatus": "Success", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "1.2.3.4", "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "UserId": "victim@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Mobile Safari/537.36"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}], "ModifiedProperties": [], "Actor": [{"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 0}, {"ID": "victim@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ActorIpAddress": "1.2.3.4", "InterSystemsId": "be59db3e-de3d-8122-9582-f28aaacc505f", "IntraSystemId": "3d84adce-5ff0-4a21-bfe8-08e6b9163200", "SupportTicketId": "", "Target": [{"ID": "00000002-0000-0ff1-ce00-000000000000", "Type": 0}], "TargetContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "DeviceProperties": [{"Name": "OS", "Value": "Android"}, {"Name": "BrowserType", "Value": "Chrome"}, {"Name": "IsCompliantAndManaged", "Value": "False"}, {"Name": "SessionId", "Value": "3df8896a-5bab-44af-9cca-543ea7a25405"}], "ErrorNumber": "50074", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt"}
{"CreationTime": "2023-10-24T20:01:18", "Id": "3d84adce-5ff0-4a21-bfe8-08e6b9163200", "Operation": "UserLoginFailed", "OrganizationId": "b5269786-a614-478e-adf8-c54ae3769109", "RecordType": 15, "ResultStatus": "Success", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "1.2.3.4", "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "UserId": "victim@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Mobile Safari/537.36"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}], "ModifiedProperties": [], "Actor": [{"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 0}, {"ID": "victim@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ActorIpAddress": "1.2.3.4", "InterSystemsId": "be59db3e-de3d-8122-9582-f28aaacc505f", "IntraSystemId": "3d84adce-5ff0-4a21-bfe8-08e6b9163200", "SupportTicketId": "", "Target": [{"ID": "00000002-0000-0ff1-ce00-000000000000", "Type": 0}], "TargetContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "DeviceProperties": [{"Name": "OS", "Value": "Android"}, {"Name": "BrowserType", "Value": "Chrome"}, {"Name": "IsCompliantAndManaged", "Value": "False"}, {"Name": "SessionId", "Value": "3df8896a-5bab-44af-9cca-543ea7a25405"}], "ErrorNumber": "50074", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt"}
{"CreationTime": "2023-10-24T20:01:16", "Id": "3d84adce-5ff0-4a21-bfe8-08e650163200", "Operation": "UserLoginFailed", "OrganizationId": "b5269786-a614-478e-adf8-c54ae3769109", "RecordType": 15, "ResultStatus": "Success", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "1.2.3.4", "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "UserId": "victim@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}], "ModifiedProperties": [], "Actor": [{"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 0}, {"ID": "victim@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ActorIpAddress": "1.2.3.4", "InterSystemsId": "1451f887-74ab-3087-d834-0add56148648", "IntraSystemId": "3d84adce-5ff0-4a21-bfe8-08e650163200", "SupportTicketId": "", "Target": [{"ID": "00000002-0000-0ff1-ce00-000000000000", "Type": 0}], "TargetContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "DeviceProperties": [{"Name": "OS", "Value": "MacOs"}, {"Name": "BrowserType", "Value": "Safari"}, {"Name": "IsCompliantAndManaged", "Value": "False"}, {"Name": "SessionId", "Value": "d3e8f8b2-48f8-441d-a82d-a2dcca409ee2"}], "ErrorNumber": "50074", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt"}
{"CreationTime": "2023-10-24T20:01:16", "Id": "3d84adce-5ff0-4a21-bfe8-08e650163200", "Operation": "UserLoginFailed", "OrganizationId": "b5269786-a614-478e-adf8-c54ae3769109", "RecordType": 15, "ResultStatus": "Success", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "1.2.3.4", "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "UserId": "victim@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}], "ModifiedProperties": [], "Actor": [{"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 0}, {"ID": "victim@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ActorIpAddress": "1.2.3.4", "InterSystemsId": "1451f887-74ab-3087-d834-0add56148648", "IntraSystemId": "3d84adce-5ff0-4a21-bfe8-08e650163200", "SupportTicketId": "", "Target": [{"ID": "00000002-0000-0ff1-ce00-000000000000", "Type": 0}], "TargetContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "DeviceProperties": [{"Name": "OS", "Value": "MacOs"}, {"Name": "BrowserType", "Value": "Safari"}, {"Name": "IsCompliantAndManaged", "Value": "False"}, {"Name": "SessionId", "Value": "d3e8f8b2-48f8-441d-a82d-a2dcca409ee2"}], "ErrorNumber": "50074", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt"}
{"CreationTime": "2023-10-24T20:01:15", "Id": "bc24a3c0-caae-47d7-b6e0-a3339b433300", "Operation": "UserLoginFailed", "OrganizationId": "b5269786-a614-478e-adf8-c54ae3769109", "RecordType": 15, "ResultStatus": "Success", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "1.2.3.4", "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "UserId": "victim@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}], "ModifiedProperties": [], "Actor": [{"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 0}, {"ID": "victim@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ActorIpAddress": "1.2.3.4", "InterSystemsId": "f2b4f1e7-42ea-e7d0-1c2d-4757aae1b614", "IntraSystemId": "bc24a3c0-caae-47d7-b6e0-a3339b433300", "SupportTicketId": "", "Target": [{"ID": "00000002-0000-0ff1-ce00-000000000000", "Type": 0}], "TargetContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "DeviceProperties": [{"Name": "OS", "Value": "Linux"}, {"Name": "BrowserType", "Value": "Firefox"}, {"Name": "IsCompliantAndManaged", "Value": "False"}, {"Name": "SessionId", "Value": "68c9b06a-8b42-4dbc-81db-6ec926eda151"}], "ErrorNumber": "50074", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt"}
{"CreationTime": "2023-10-24T20:01:15", "Id": "bc24a3c0-caae-47d7-b6e0-a3339b433300", "Operation": "UserLoginFailed", "OrganizationId": "b5269786-a614-478e-adf8-c54ae3769109", "RecordType": 15, "ResultStatus": "Success", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "1.2.3.4", "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "UserId": "victim@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}], "ModifiedProperties": [], "Actor": [{"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 0}, {"ID": "victim@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ActorIpAddress": "1.2.3.4", "InterSystemsId": "f2b4f1e7-42ea-e7d0-1c2d-4757aae1b614", "IntraSystemId": "bc24a3c0-caae-47d7-b6e0-a3339b433300", "SupportTicketId": "", "Target": [{"ID": "00000002-0000-0ff1-ce00-000000000000", "Type": 0}], "TargetContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "DeviceProperties": [{"Name": "OS", "Value": "Linux"}, {"Name": "BrowserType", "Value": "Firefox"}, {"Name": "IsCompliantAndManaged", "Value": "False"}, {"Name": "SessionId", "Value": "68c9b06a-8b42-4dbc-81db-6ec926eda151"}], "ErrorNumber": "50074", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt"}
{"CreationTime": "2023-10-24T20:01:13", "Id": "e7a5dbc1-55b4-4e70-8667-e6ea22503300", "Operation": "UserLoginFailed", "OrganizationId": "b5269786-a614-478e-adf8-c54ae3769109", "RecordType": 15, "ResultStatus": "Success", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "1.2.3.4", "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "UserId": "victim@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.56"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}], "ModifiedProperties": [], "Actor": [{"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 0}, {"ID": "victim@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ActorIpAddress": "1.2.3.4", "InterSystemsId": "83b17275-b33d-7e00-fc79-4fbf5242d3ed", "IntraSystemId": "e7a5dbc1-55b4-4e70-8667-e6ea22503300", "SupportTicketId": "", "Target": [{"ID": "00000002-0000-0ff1-ce00-000000000000", "Type": 0}], "TargetContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "DeviceProperties": [{"Name": "OS", "Value": "Windows10"}, {"Name": "BrowserType", "Value": "Edge"}, {"Name": "IsCompliantAndManaged", "Value": "False"}, {"Name": "SessionId", "Value": "e454cabf-3db5-4216-b0c6-b0abdbdb0748"}], "ErrorNumber": "50074", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt"}
{"CreationTime": "2023-10-24T20:01:13", "Id": "e7a5dbc1-55b4-4e70-8667-e6ea22503300", "Operation": "UserLoginFailed", "OrganizationId": "b5269786-a614-478e-adf8-c54ae3769109", "RecordType": 15, "ResultStatus": "Success", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "1.2.3.4", "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "UserId": "victim@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.56"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}], "ModifiedProperties": [], "Actor": [{"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 0}, {"ID": "victim@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ActorIpAddress": "1.2.3.4", "InterSystemsId": "83b17275-b33d-7e00-fc79-4fbf5242d3ed", "IntraSystemId": "e7a5dbc1-55b4-4e70-8667-e6ea22503300", "SupportTicketId": "", "Target": [{"ID": "00000002-0000-0ff1-ce00-000000000000", "Type": 0}], "TargetContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "DeviceProperties": [{"Name": "OS", "Value": "Windows10"}, {"Name": "BrowserType", "Value": "Edge"}, {"Name": "IsCompliantAndManaged", "Value": "False"}, {"Name": "SessionId", "Value": "e454cabf-3db5-4216-b0c6-b0abdbdb0748"}], "ErrorNumber": "50074", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt"}
{"CreationTime": "2023-10-24T20:01:12", "Id": "90078e70-c661-4ce4-ab28-ec84e6453700", "Operation": "UserLoginFailed", "OrganizationId": "b5269786-a614-478e-adf8-c54ae3769109", "RecordType": 15, "ResultStatus": "Failed", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "1.2.3.4", "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "UserId": "victim@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "UserError"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.22621.2428"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "OAuth2:Token"}], "ModifiedProperties": [], "Actor": [{"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 0}, {"ID": "victim@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ActorIpAddress": "1.2.3.4", "InterSystemsId": "a531d29a-80d7-4a8c-9017-80f36c33d089", "IntraSystemId": "90078e70-c661-4ce4-ab28-ec84e6453700", "SupportTicketId": "", "Target": [{"ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "Type": 0}], "TargetContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ApplicationId": "1950a258-227b-4e31-a9cf-717495945fc2", "DeviceProperties": [{"Name": "OS", "Value": "Windows"}, {"Name": "BrowserType", "Value": "Other"}, {"Name": "IsCompliantAndManaged", "Value": "False"}, {"Name": "SessionId", "Value": "5ff561f4-f400-445f-812b-fed4b7d12c0c"}], "ErrorNumber": "50076", "LogonError": "UserStrongAuthClientAuthNRequired"}
{"CreationTime": "2023-10-24T20:01:11", "Id": "22608a25-1d9b-44b5-b0f2-cb94f06b2d00", "Operation": "UserLoginFailed", "OrganizationId": "b5269786-a614-478e-adf8-c54ae3769109", "RecordType": 15, "ResultStatus": "Failed", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "1.2.3.4", "ObjectId": "00000002-0000-0000-c000-000000000000", "UserId": "victim@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "UserError"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.22621.2428"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "OAuth2:Token"}], "ModifiedProperties": [], "Actor": [{"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 0}, {"ID": "victim@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ActorIpAddress": "1.2.3.4", "InterSystemsId": "1f577997-0710-4bd4-848e-5854f748f7dc", "IntraSystemId": "22608a25-1d9b-44b5-b0f2-cb94f06b2d00", "SupportTicketId": "", "Target": [{"ID": "00000002-0000-0000-c000-000000000000", "Type": 0}], "TargetContextId": "b5269786-a614-478e-adf8-c54ae3769109", "ApplicationId": "1b730954-1685-4b74-9bfd-dac224a7b894", "DeviceProperties": [{"Name": "OS", "Value": "Windows"}, {"Name": "BrowserType", "Value": "Other"}, {"Name": "IsCompliantAndManaged", "Value": "False"}, {"Name": "SessionId", "Value": "83271949-344c-472a-b983-d3ac68f3addc"}], "ErrorNumber": "50076", "LogonError": "UserStrongAuthClientAuthNRequired"}