{"time": "2023-09-14T16:10:52.0899059Z", "resourceId": "/tenants/332399e8-7e86-40ce-aa2a-21b0d0cda485/providers/Microsoft.aadiam", "operationName": "Consent to application", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "332399e8-7e86-40ce-aa2a-21b0d0cda485", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "1.2.3.4", "correlationId": "7b064cde-9d34-4533-af28-3d9c29663f71", "Level": 4, "properties": {"id": "Directory_7b064cde-9d34-4533-af28-3d9c29663f71_S9S3W_56747597", "category": "ApplicationManagement", "correlationId": "7b064cde-9d34-4533-af28-3d9c29663f71", "result": "success", "resultReason": "", "activityDisplayName": "Consent to application", "activityDateTime": "2023-09-14T16:10:52.0899059+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": null, "userPrincipalName": "baduser@splunkresearch.com", "ipAddress": "1.2.3.4", "roles": []}}, "targetResources": [{"id": "7db24127-7f84-4a1f-8885-9ee3de827441", "displayName": "BadApp", "type": "ServicePrincipal", "modifiedProperties": [{"displayName": "ConsentContext.IsAdminConsent", "oldValue": null, "newValue": "\"True\""}, {"displayName": "ConsentContext.IsAppOnly", "oldValue": null, "newValue": "\"False\""}, {"displayName": "ConsentContext.OnBehalfOfAll", "oldValue": null, "newValue": "\"True\""}, {"displayName": "ConsentContext.Tags", "oldValue": null, "newValue": "\"\""}, {"displayName": "ConsentAction.Permissions", "oldValue": null, "newValue": "\"[] => [[Id: J0GyfYR_H0qIhZ7j3oJ0QVM2OzMi5opLpVy2fYeBE9s, ClientId: 7db24127-7f84-4a1f-8885-9ee3de827441, PrincipalId: , ResourceId: 333b3653-e622-4b8a-a55c-b67d878113db, ConsentType: AllPrincipals, Scope: User.Read, CreatedDateTime: , LastModifiedDateTime ]]; \""}, {"displayName": "TargetId.ServicePrincipalNames", "oldValue": null, "newValue": "\"46699fff-9ab0-4e19-94a7-ea8499fd113c\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"}, {"key": "AppId", "value": "46699fff-9ab0-4e19-94a7-ea8499fd113c"}]}}
{"time": "2023-09-14T16:10:52.0889040Z", "resourceId": "/tenants/332399e8-7e86-40ce-aa2a-21b0d0cda485/providers/Microsoft.aadiam", "operationName": "Add app role assignment grant to user", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "332399e8-7e86-40ce-aa2a-21b0d0cda485", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "1.2.3.4", "correlationId": "7b064cde-9d34-4533-af28-3d9c29663f71", "Level": 4, "properties": {"id": "Directory_7b064cde-9d34-4533-af28-3d9c29663f71_S9S3W_56747580", "category": "UserManagement", "correlationId": "7b064cde-9d34-4533-af28-3d9c29663f71", "result": "success", "resultReason": "", "activityDisplayName": "Add app role assignment grant to user", "activityDateTime": "2023-09-14T16:10:52.088904+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": null, "userPrincipalName": "baduser@splunkresearch.com", "ipAddress": "1.2.3.4", "roles": []}}, "targetResources": [{"id": "7db24127-7f84-4a1f-8885-9ee3de827441", "displayName": "BadApp", "type": "ServicePrincipal", "modifiedProperties": [{"displayName": "AppRole.Id", "oldValue": null, "newValue": "\"00000000-0000-0000-0000-000000000000\""}, {"displayName": "AppRole.Value", "oldValue": null, "newValue": "\"\""}, {"displayName": "AppRole.DisplayName", "oldValue": null, "newValue": "\"\""}, {"displayName": "AppRoleAssignment.CreatedDateTime", "oldValue": null, "newValue": "\"2023-09-14T16:10:51.9669001Z\""}, {"displayName": "AppRoleAssignment.LastModifiedDateTime", "oldValue": null, "newValue": "\"2023-09-14T16:10:51.9669001Z\""}, {"displayName": "User.ObjectID", "oldValue": null, "newValue": "\"3bd47e42-37c9-442f-a2b4-f04de61ef0ce\""}, {"displayName": "User.UPN", "oldValue": null, "newValue": "\"baduser_splunkresearch.com#EXT#@strtadminsplunkresearch.onmicrosoft.com\""}, {"displayName": "User.PUID", "oldValue": null, "newValue": "\"1003200242C6D09A\""}, {"displayName": "TargetId.ServicePrincipalNames", "oldValue": null, "newValue": "\"46699fff-9ab0-4e19-94a7-ea8499fd113c\""}], "administrativeUnits": []}, {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": null, "type": "User", "userPrincipalName": "baduser_splunkresearch.com#EXT#@strtadminsplunkresearch.onmicrosoft.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"}, {"key": "AppId", "value": "46699fff-9ab0-4e19-94a7-ea8499fd113c"}]}}
{"time": "2023-09-14T16:10:51.8318993Z", "resourceId": "/tenants/332399e8-7e86-40ce-aa2a-21b0d0cda485/providers/Microsoft.aadiam", "operationName": "Add app role assignment to service principal", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "332399e8-7e86-40ce-aa2a-21b0d0cda485", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "1.2.3.4", "correlationId": "7b064cde-9d34-4533-af28-3d9c29663f71", "Level": 4, "properties": {"id": "Directory_7b064cde-9d34-4533-af28-3d9c29663f71_S9S3W_56746565", "category": "ApplicationManagement", "correlationId": "7b064cde-9d34-4533-af28-3d9c29663f71", "result": "success", "resultReason": "", "activityDisplayName": "Add app role assignment to service principal", "activityDateTime": "2023-09-14T16:10:51.8318993+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": null, "userPrincipalName": "baduser@splunkresearch.com", "ipAddress": "1.2.3.4", "roles": []}}, "targetResources": [{"id": "333b3653-e622-4b8a-a55c-b67d878113db", "displayName": "Microsoft Graph", "type": "ServicePrincipal", "modifiedProperties": [{"displayName": "AppRole.Id", "oldValue": null, "newValue": "\"810c84a8-4a9e-49e6-bf7d-12d183f40d01\""}, {"displayName": "AppRole.Value", "oldValue": null, "newValue": "\"Mail.Read\""}, {"displayName": "AppRole.DisplayName", "oldValue": null, "newValue": "\"Read mail in all mailboxes\""}, {"displayName": "AppRoleAssignment.CreatedDateTime", "oldValue": null, "newValue": "\"2023-09-14T16:10:51.7048923Z\""}, {"displayName": "AppRoleAssignment.LastModifiedDateTime", "oldValue": null, "newValue": "\"2023-09-14T16:10:51.7048923Z\""}, {"displayName": "ServicePrincipal.ObjectID", "oldValue": null, "newValue": "\"7db24127-7f84-4a1f-8885-9ee3de827441\""}, {"displayName": "ServicePrincipal.DisplayName", "oldValue": null, "newValue": "\"BadApp\""}, {"displayName": "ServicePrincipal.AppId", "oldValue": null, "newValue": "\"46699fff-9ab0-4e19-94a7-ea8499fd113c\""}, {"displayName": "ServicePrincipal.Name", "oldValue": null, "newValue": "\"46699fff-9ab0-4e19-94a7-ea8499fd113c\""}, {"displayName": "TargetId.ServicePrincipalNames", "oldValue": null, "newValue": "\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us;https://canary.graph.microsoft.com/;https://graph.microsoft.us/;https://dod-graph.microsoft.us/\""}], "administrativeUnits": []}, {"id": "7db24127-7f84-4a1f-8885-9ee3de827441", "displayName": "46699fff-9ab0-4e19-94a7-ea8499fd113c", "type": "ServicePrincipal", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"}, {"key": "AppId", "value": "00000003-0000-0000-c000-000000000000"}]}}
{"time": "2023-09-14T16:10:42.6317137Z", "resourceId": "/tenants/332399e8-7e86-40ce-aa2a-21b0d0cda485/providers/Microsoft.aadiam", "operationName": "Update application", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "332399e8-7e86-40ce-aa2a-21b0d0cda485", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "1.2.3.4", "correlationId": "65c9f04e-b3b9-4e1f-9beb-f716b4a2d3d0", "Level": 4, "properties": {"id": "Directory_65c9f04e-b3b9-4e1f-9beb-f716b4a2d3d0_UXGN1_117457385", "category": "ApplicationManagement", "correlationId": "65c9f04e-b3b9-4e1f-9beb-f716b4a2d3d0", "result": "success", "resultReason": "", "activityDisplayName": "Update application", "activityDateTime": "2023-09-14T16:10:42.6317137+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": null, "userPrincipalName": "baduser@splunkresearch.com", "ipAddress": "1.2.3.4", "roles": []}}, "targetResources": [{"id": "a9fe5e96-5031-4b95-8f0e-07ce84ebf739", "displayName": "BadApp", "type": "Application", "modifiedProperties": [{"displayName": "RequiredResourceAccess", "oldValue": "[{\"ResourceAppId\":\"00000003-0000-0000-c000-000000000000\",\"RequiredAppPermissions\":[{\"EntitlementId\":\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]}],\"EncodingVersion\":1}]", "newValue": "[{\"ResourceAppId\":\"00000003-0000-0000-c000-000000000000\",\"RequiredAppPermissions\":[{\"EntitlementId\":\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]},{\"EntitlementId\":\"810c84a8-4a9e-49e6-bf7d-12d183f40d01\",\"DirectAccessGrant\":true,\"ImpersonationAccessGrants\":[]}],\"EncodingVersion\":1}]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"RequiredResourceAccess\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"}, {"key": "AppId", "value": "46699fff-9ab0-4e19-94a7-ea8499fd113c"}]}}
{"time": "2023-09-14T16:10:42.5057032Z", "resourceId": "/tenants/332399e8-7e86-40ce-aa2a-21b0d0cda485/providers/Microsoft.aadiam", "operationName": "Update service principal", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "332399e8-7e86-40ce-aa2a-21b0d0cda485", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "1.2.3.4", "correlationId": "65c9f04e-b3b9-4e1f-9beb-f716b4a2d3d0", "Level": 4, "properties": {"id": "Directory_65c9f04e-b3b9-4e1f-9beb-f716b4a2d3d0_UXGN1_117457014", "category": "ApplicationManagement", "correlationId": "65c9f04e-b3b9-4e1f-9beb-f716b4a2d3d0", "result": "success", "resultReason": "", "activityDisplayName": "Update service principal", "activityDateTime": "2023-09-14T16:10:42.5057032+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": null, "userPrincipalName": "baduser@splunkresearch.com", "ipAddress": "1.2.3.4", "roles": []}}, "targetResources": [{"id": "7db24127-7f84-4a1f-8885-9ee3de827441", "displayName": "BadApp", "type": "ServicePrincipal", "modifiedProperties": [{"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"\""}, {"displayName": "TargetId.ServicePrincipalNames", "oldValue": null, "newValue": "\"46699fff-9ab0-4e19-94a7-ea8499fd113c\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"}, {"key": "AppId", "value": "46699fff-9ab0-4e19-94a7-ea8499fd113c"}]}}
{"time": "2023-09-14T16:10:25.3753287Z", "resourceId": "/tenants/332399e8-7e86-40ce-aa2a-21b0d0cda485/providers/Microsoft.aadiam", "operationName": "Add service principal", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "332399e8-7e86-40ce-aa2a-21b0d0cda485", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "1.2.3.4", "correlationId": "5739b4d7-d251-4f67-8cfa-04ec841e2f58", "Level": 4, "properties": {"id": "Directory_5739b4d7-d251-4f67-8cfa-04ec841e2f58_ECLCC_130111741", "category": "ApplicationManagement", "correlationId": "5739b4d7-d251-4f67-8cfa-04ec841e2f58", "result": "success", "resultReason": "", "activityDisplayName": "Add service principal", "activityDateTime": "2023-09-14T16:10:25.3753287+00:00", "loggedByService": "Core Directory", "operationType": "Add", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": null, "userPrincipalName": "baduser@splunkresearch.com", "ipAddress": "1.2.3.4", "roles": []}}, "targetResources": [{"id": "7db24127-7f84-4a1f-8885-9ee3de827441", "displayName": "BadApp", "type": "ServicePrincipal", "modifiedProperties": [{"displayName": "AccountEnabled", "oldValue": "[]", "newValue": "[true]"}, {"displayName": "AppPrincipalId", "oldValue": "[]", "newValue": "[\"46699fff-9ab0-4e19-94a7-ea8499fd113c\"]"}, {"displayName": "DisplayName", "oldValue": "[]", "newValue": "[\"BadApp\"]"}, {"displayName": "ServicePrincipalName", "oldValue": "[]", "newValue": "[\"46699fff-9ab0-4e19-94a7-ea8499fd113c\"]"}, {"displayName": "Credential", "oldValue": "[]", "newValue": "[{\"CredentialType\":2,\"KeyStoreId\":\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\"KeyGroupId\":\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"}]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\""}, {"displayName": "TargetId.ServicePrincipalNames", "oldValue": null, "newValue": "\"46699fff-9ab0-4e19-94a7-ea8499fd113c\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"}, {"key": "AppId", "value": "46699fff-9ab0-4e19-94a7-ea8499fd113c"}]}}
{"time": "2023-09-14T16:10:25.1330603Z", "resourceId": "/tenants/332399e8-7e86-40ce-aa2a-21b0d0cda485/providers/Microsoft.aadiam", "operationName": "Add application", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "332399e8-7e86-40ce-aa2a-21b0d0cda485", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "1.2.3.4", "correlationId": "5b1f1a5a-34d6-4da2-9a8d-ec834db86ea0", "Level": 4, "properties": {"id": "Directory_5b1f1a5a-34d6-4da2-9a8d-ec834db86ea0_O6SSO_121513457", "category": "ApplicationManagement", "correlationId": "5b1f1a5a-34d6-4da2-9a8d-ec834db86ea0", "result": "success", "resultReason": "", "activityDisplayName": "Add application", "activityDateTime": "2023-09-14T16:10:25.1330603+00:00", "loggedByService": "Core Directory", "operationType": "Add", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": null, "userPrincipalName": "baduser@splunkresearch.com", "ipAddress": "1.2.3.4", "roles": []}}, "targetResources": [{"id": "a9fe5e96-5031-4b95-8f0e-07ce84ebf739", "displayName": "BadApp", "type": "Application", "modifiedProperties": [{"displayName": "AppId", "oldValue": "[]", "newValue": "[\"46699fff-9ab0-4e19-94a7-ea8499fd113c\"]"}, {"displayName": "AvailableToOtherTenants", "oldValue": "[]", "newValue": "[false]"}, {"displayName": "DisplayName", "oldValue": "[]", "newValue": "[\"BadApp\"]"}, {"displayName": "RequiredResourceAccess", "oldValue": "[]", "newValue": "[{\"ResourceAppId\":\"00000003-0000-0000-c000-000000000000\",\"RequiredAppPermissions\":[{\"EntitlementId\":\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]}],\"EncodingVersion\":1}]"}, {"displayName": "PublisherDomain", "oldValue": "[]", "newValue": "[\"splunkresearch.com\"]"}, {"displayName": "ServicePrincipalLockConfiguration", "oldValue": "[]", "newValue": "[{\"IsEnabled\":true,\"AllProperties\":true,\"CredentialsWithUsageVerify\":true,\"CredentialsWithUsageSign\":true,\"IdentifierUris\":false,\"TokenEncryptionKeyId\":true}]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess, PublisherDomain, ServicePrincipalLockConfiguration\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"}, {"key": "AppId", "value": "46699fff-9ab0-4e19-94a7-ea8499fd113c"}]}}