{"time": "2023-04-26T19:02:20.3099524Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "d37e1b42-4249-4162-a307-be774bfc6e7e", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "4f00fd1b-6217-43f4-aa22-410523b84800", "createdDateTime": "2023-04-26T19:02:20.3099524+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "50aaa389-5a33-4f1a-91d7-2c45ecd8dac8", "appDisplayName": "Microsoft_Azure_PIMCommon", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "d37e1b42-4249-4162-a307-be774bfc6e7e", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "4f00fd1b-6217-43f4-aa22-410523b84800", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 94, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "MS-PIM", "resourceId": "01fc33a7-78ba-4d2f-a4b7-768e336e890e", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T19:02:20.3099524+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "G_0ATxdi9EOqIkEFI7hIAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "26439afb-f5b9-4e51-a821-05b24506b262", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T19:02:20.1717107Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "dd7e970a-8022-4897-8ebe-6be7c59e4e26", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "9a6cc0ed-801b-4c5d-b2c7-c473a5f25e00", "createdDateTime": "2023-04-26T19:02:20.1717107+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "dd7e970a-8022-4897-8ebe-6be7c59e4e26", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "9a6cc0ed-801b-4c5d-b2c7-c473a5f25e00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 84, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T19:02:20.1717107+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "7cBsmhuAXUyyx8RzpfJeAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T19:02:19.9359439Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "bdde7ab1-e33b-497e-aee3-7fc28637eecc", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "4f00fd1b-6217-43f4-aa22-410503b84800", "createdDateTime": "2023-04-26T19:02:19.9359439+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "bdde7ab1-e33b-497e-aee3-7fc28637eecc", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "4f00fd1b-6217-43f4-aa22-410503b84800", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 182, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T19:02:19.9359439+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "G_0ATxdi9EOqIkEFA7hIAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T19:02:19.4742935Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "e61cf9e3-204b-4667-bc0f-5f8534b7b8dc", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "982c4692-f15f-40a8-a798-10ca53494600", "createdDateTime": "2023-04-26T19:02:19.4742935+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.46.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "e61cf9e3-204b-4667-bc0f-5f8534b7b8dc", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "982c4692-f15f-40a8-a798-10ca53494600", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"email\",\"openid\",\"Organization.Read.All\",\"Policy.ReadWrite.ApplicationConfiguration\",\"profile\",\"User.Read\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 83, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T19:02:19.4742935+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "kkYsmF_xqECnmBDKU0lGAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T19:01:06.2158497Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.91.19", "correlationId": "a29b3daf-e4dc-49f9-b6c1-75b3330313e8", "Level": 4, "location": "US", "properties": {"id": "02b2428a-fed9-494f-8a8c-332b550e4600", "createdDateTime": "2023-04-26T19:01:06.2158497+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.91.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "a29b3daf-e4dc-49f9-b6c1-75b3330313e8", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "ikKyAtn-T0mKjDMrVQ5GAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}}
{"time": "2023-04-26T19:00:25.1569288Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add service principal", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "33cb5b2d-d8c3-4618-ba69-3a317d8f4e0a", "identity": "Microsoft Azure AD Internal - Jit Provisioning", "Level": 4, "properties": {"id": "Directory_33cb5b2d-d8c3-4618-ba69-3a317d8f4e0a_8OPJV_234200621", "category": "ApplicationManagement", "correlationId": "33cb5b2d-d8c3-4618-ba69-3a317d8f4e0a", "result": "success", "resultReason": "", "activityDisplayName": "Add service principal", "activityDateTime": "2023-04-26T19:00:25.1569288+00:00", "loggedByService": "Core Directory", "operationType": "Add", "userAgent": null, "initiatedBy": {}, "targetResources": [{"id": "f5cc8089-5320-4194-a687-f6f430dfbe5b", "displayName": "IDML Graph Resolver Service and CAD", "type": "ServicePrincipal", "modifiedProperties": [{"displayName": "AccountEnabled", "oldValue": "[]", "newValue": "[true]"}, {"displayName": "AppAddress", "oldValue": "[]", "newValue": "[{\"AddressType\":0,\"Address\":\"https://appdiscovery.azure.com/\",\"ReplyAddressClientType\":1,\"ReplyAddressIndex\":null,\"IsReplyAddressDefault\":false},{\"AddressType\":0,\"Address\":\"https://aadinsights.azure.com/\",\"ReplyAddressClientType\":1,\"ReplyAddressIndex\":null,\"IsReplyAddressDefault\":false},{\"AddressType\":0,\"Address\":\"https://aadinsights.azure.com/Account/AADSignIn\",\"ReplyAddressClientType\":1,\"ReplyAddressIndex\":null,\"IsReplyAddressDefault\":false}]"}, {"displayName": "AppPrincipalId", "oldValue": "[]", "newValue": "[\"d88a361a-d488-4271-a13f-a83df7dd99c2\"]"}, {"displayName": "DisplayName", "oldValue": "[]", "newValue": "[\"IDML Graph Resolver Service and CAD\"]"}, {"displayName": "ServicePrincipalName", "oldValue": "[]", "newValue": "[\"https://serresappisv.onmicrosoft.com/SerresProd\",\"https://aadinsights.azure.com/prod\",\"d88a361a-d488-4271-a13f-a83df7dd99c2\"]"}, {"displayName": "Credential", "oldValue": "[]", "newValue": "[{\"CredentialType\":2,\"KeyStoreId\":\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\"KeyGroupId\":\"d9ac1f72-6564-44a5-8dea-ce75a62660e4\"}]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"AccountEnabled, AppAddress, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\""}, {"displayName": "TargetId.ServicePrincipalNames", "oldValue": null, "newValue": "\"https://serresappisv.onmicrosoft.com/SerresProd;https://aadinsights.azure.com/prod;d88a361a-d488-4271-a13f-a83df7dd99c2\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "AppId", "value": "d88a361a-d488-4271-a13f-a83df7dd99c2"}]}}
{"time": "2023-04-26T18:59:46.0565631Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "4513248d-484a-4374-aabc-8a969c972119", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "eb68d7c4-0fc4-4da1-9d43-e2667bd94a00", "createdDateTime": "2023-04-26T18:59:46.0565631+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "50aaa389-5a33-4f1a-91d7-2c45ecd8dac8", "appDisplayName": "Microsoft_Azure_PIMCommon", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "4513248d-484a-4374-aabc-8a969c972119", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "eb68d7c4-0fc4-4da1-9d43-e2667bd94a00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 144, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "MS-PIM", "resourceId": "01fc33a7-78ba-4d2f-a4b7-768e336e890e", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:59:46.0565631+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "xNdo68QPoU2dQ-Jme9lKAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "26439afb-f5b9-4e51-a821-05b24506b262", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:59:46.0161130Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "d630b8f3-b36a-4c6f-803c-4eb498ffa399", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "264d0500-34ce-470c-8b8a-c6c02a824c00", "createdDateTime": "2023-04-26T18:59:46.016113+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "d630b8f3-b36a-4c6f-803c-4eb498ffa399", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "264d0500-34ce-470c-8b8a-c6c02a824c00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 85, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:59:46.016113+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "AAVNJs40DEeLisbAKoJMAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:59:45.9407664Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "b07b4a42-1168-4e8d-bb4e-bf123d0b7ac3", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "9f5d2dfa-8c1c-427a-8968-604600fe5c00", "createdDateTime": "2023-04-26T18:59:45.9407664+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "50aaa389-5a33-4f1a-91d7-2c45ecd8dac8", "appDisplayName": "Microsoft_Azure_PIMCommon", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "b07b4a42-1168-4e8d-bb4e-bf123d0b7ac3", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "9f5d2dfa-8c1c-427a-8968-604600fe5c00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 77, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "IAM Supportability", "resourceId": "a57aca87-cbc0-4f3c-8b9e-dc095fdc8978", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:59:45.9407664+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "-i1dnxyMekKJaGBGAP5cAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "592cad50-5996-4875-b604-d21539fa4483", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:59:45.7257788Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "771ee00f-59ed-493f-b96d-b0bc9146546d", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "666b3a55-c5fe-4bfb-88f4-11abc3905b00", "createdDateTime": "2023-04-26T18:59:45.7257788+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "771ee00f-59ed-493f-b96d-b0bc9146546d", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "666b3a55-c5fe-4bfb-88f4-11abc3905b00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 66, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:59:45.7257788+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "VTprZv7F-0uI9BGrw5BbAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:59:45.5117791Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "fdfa12ac-c5c1-47b1-9a0d-390d1e6c2dfe", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "666b3a55-c5fe-4bfb-88f4-11abb6905b00", "createdDateTime": "2023-04-26T18:59:45.5117791+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "fdfa12ac-c5c1-47b1-9a0d-390d1e6c2dfe", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "666b3a55-c5fe-4bfb-88f4-11abb6905b00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 109, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:59:45.5117791+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "VTprZv7F-0uI9BGrtpBbAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:59:45.0605295Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "911cebf7-9bb2-4c71-8308-47b1dae0f4df", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "8cd5746e-6ea0-4b27-a280-dcebac584500", "createdDateTime": "2023-04-26T18:59:45.0605295+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.46.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "911cebf7-9bb2-4c71-8308-47b1dae0f4df", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "8cd5746e-6ea0-4b27-a280-dcebac584500", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"email\",\"openid\",\"Organization.Read.All\",\"Policy.ReadWrite.ApplicationConfiguration\",\"profile\",\"User.Read\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 112, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:59:45.0605295+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "bnTVjKBuJ0uigNzrrFhFAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:59:44.6074889Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "59c54f11-b9f7-4ea6-bd91-8907b1f43f69", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "4bc80cb5-4c55-43c3-81b2-d08eba494400", "createdDateTime": "2023-04-26T18:59:44.6074889+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.46.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "59c54f11-b9f7-4ea6-bd91-8907b1f43f69", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "4bc80cb5-4c55-43c3-81b2-d08eba494400", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 183, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:59:44.6074889+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "tQzIS1VMw0OBstCOuklEAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:59:44.1821338Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "78f8f3bd-c79f-46ce-acd8-65ab39134300", "createdDateTime": "2023-04-26T18:59:44.1821338+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "78f8f3bd-c79f-46ce-acd8-65ab39134300", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Login Hint Present", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 219, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:59:44.1821338+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 0}, {"authenticationStepDateTime": "2023-04-26T18:59:44.1821338+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "vfP4eJ_Hzkas2GWrORNDAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:59:25.3392396Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "4537194c-ebc0-4db8-9bac-9ac3ad7e2feb", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "ac57588d-d806-4471-9a0b-073e948b4600", "createdDateTime": "2023-04-26T18:59:25.3392396+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "50aaa389-5a33-4f1a-91d7-2c45ecd8dac8", "appDisplayName": "Microsoft_Azure_PIMCommon", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "4537194c-ebc0-4db8-9bac-9ac3ad7e2feb", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "ac57588d-d806-4471-9a0b-073e948b4600", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 67, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:59:25.3392396+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "jVhXrAbYcUSaCwc-lItGAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:59:25.1084143Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add member to role completed (PIM activation)", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "resultDescription": "need to work", "durationMs": 0, "correlationId": "03c9ce48-53ee-47c4-ba40-cd3a701e5edb", "identity": "User30", "Level": 4, "properties": {"id": "PIM_03c9ce48-53ee-47c4-ba40-cd3a701e5edb_MR6VV_117673645", "category": "RoleManagement", "correlationId": "03c9ce48-53ee-47c4-ba40-cd3a701e5edb", "result": "success", "resultReason": "need to work", "activityDisplayName": "Add member to role completed (PIM activation)", "activityDateTime": "2023-04-26T18:59:25.1084143+00:00", "loggedByService": "PIM", "operationType": "ActivateRole", "userAgent": null, "initiatedBy": {"user": {"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": "User30", "userPrincipalName": "User30@splunkresearch.com", "ipAddress": null, "roles": []}}, "targetResources": [{"id": "62e90394-69f5-4237-9190-012177145e10", "displayName": "Global Administrator", "type": "Role", "modifiedProperties": [{"displayName": "RoleDefinitionOriginId", "oldValue": "\"\"", "newValue": "\"62e90394-69f5-4237-9190-012177145e10\""}, {"displayName": "RoleDefinitionOriginType", "oldValue": "\"\"", "newValue": "\"BuiltInRole\""}, {"displayName": "TemplateId", "oldValue": "\"\"", "newValue": "\"62e90394-69f5-4237-9190-012177145e10\""}], "administrativeUnits": []}, {"id": "27557e16-f91f-4ce3-bf3f-d8cb2b16922d", "displayName": null, "type": "Request", "modifiedProperties": [], "administrativeUnits": []}, {"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": "User30", "type": "User", "userPrincipalName": "User30@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}, {"id": "fc69e276-e9e8-4af9-9002-1e410d77244e", "displayName": "Default Directory", "type": "Directory", "modifiedProperties": [], "administrativeUnits": []}, {"id": "00000000-0000-0000-0000-000000000001", "displayName": "Azure AD Directory Roles", "type": "Provider", "modifiedProperties": [], "administrativeUnits": []}, {"id": "d2cfdb54-7c8c-4097-9330-486f3acc30b5", "displayName": null, "type": "RoleSchedule", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "RoleDefinitionOriginId", "value": "62e90394-69f5-4237-9190-012177145e10"}, {"key": "RoleDefinitionOriginType", "value": "BuiltInRole"}, {"key": "TemplateId", "value": "62e90394-69f5-4237-9190-012177145e10"}, {"key": "StartTime", "value": "2023-04-26T18:59:23.4248235Z"}, {"key": "ExpirationTime", "value": "2023-04-27T02:59:23.4248235Z"}, {"key": "Justification", "value": "need to work"}, {"key": "oid", "value": "40b61050-e814-4ae5-8ffe-66b6f0c53998"}, {"key": "tid", "value": "fc69e276-e9e8-4af9-9002-1e410d77244e"}, {"key": "wids", "value": "b79fbf4d-3ef9-4689-8143-76b194e85509"}, {"key": "ipaddr", "value": "72.1.1.1"}]}}
{"time": "2023-04-26T18:59:24.6742713Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add member to role", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "40.126.23.163", "correlationId": "02d4df5a-784c-4820-93db-f11177e1950a", "identity": "MS-PIM", "Level": 4, "properties": {"id": "Directory_02d4df5a-784c-4820-93db-f11177e1950a_2FFV2_298102829", "category": "RoleManagement", "correlationId": "02d4df5a-784c-4820-93db-f11177e1950a", "result": "success", "resultReason": "", "activityDisplayName": "Add member to role", "activityDateTime": "2023-04-26T18:59:24.6742713+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"app": {"appId": null, "displayName": "MS-PIM", "servicePrincipalId": "26439afb-f5b9-4e51-a821-05b24506b262", "servicePrincipalName": null}}, "targetResources": [{"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": null, "type": "User", "userPrincipalName": "User30@splunkresearch.com", "modifiedProperties": [{"displayName": "Role.ObjectID", "oldValue": null, "newValue": "\"4c609f03-ed46-4684-8ce9-40b7d632fbe1\""}, {"displayName": "Role.DisplayName", "oldValue": null, "newValue": "\"Global Administrator\""}, {"displayName": "Role.TemplateId", "oldValue": null, "newValue": "\"62e90394-69f5-4237-9190-012177145e10\""}, {"displayName": "Role.WellKnownObjectName", "oldValue": null, "newValue": "\"TenantAdmins\""}, {"displayName": "ActorId.ServicePrincipalNames", "oldValue": null, "newValue": "\"01fc33a7-78ba-4d2f-a4b7-768e336e890e;https://api.aadr.mspim.azure.com/;https://api.azrbac.mspim.azure.com/;https://mspim.onmicrosoft.com/;https://canaryapi.azrbac.mspim.azure.com/\""}, {"displayName": "SPN", "oldValue": null, "newValue": "\"01fc33a7-78ba-4d2f-a4b7-768e336e890e;https://api.aadr.mspim.azure.com/;https://api.azrbac.mspim.azure.com/;https://mspim.onmicrosoft.com/;https://canaryapi.azrbac.mspim.azure.com/\""}], "administrativeUnits": []}, {"id": "4c609f03-ed46-4684-8ce9-40b7d632fbe1", "displayName": null, "type": "Role", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": []}}
{"time": "2023-04-26T18:59:11.8891144Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "03c9ce48-53ee-47c4-ba40-cd3a701e5edb", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "c0b02311-b42d-4796-9da5-aa29ed6f4600", "createdDateTime": "2023-04-26T18:59:11.8891144+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "01fc33a7-78ba-4d2f-a4b7-768e336e890e", "appDisplayName": "MS-PIM", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.37.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "03c9ce48-53ee-47c4-ba40-cd3a701e5edb", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "c0b02311-b42d-4796-9da5-aa29ed6f4600", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"ElevatedAccessControl-Internal.Get.All\",\"ElevatedAccessControl-Internal.Set.All\",\"ElevatedAccessRequest-Internal.Create.All\",\"ElevatedAccessRequest-Internal.Get.All\",\"ElevatedAccessRequest-Internal.Set.All\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 148, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Online", "resourceId": "00000002-0000-0ff1-ce00-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:59:11.8891144+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "ESOwwC20lkedpaop7W9GAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "7c47c9f0-d6ae-4c7f-b7e3-fddf259bf009", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:59:11.6746394Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add member to role requested (PIM activation)", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "resultDescription": "need to work", "durationMs": 0, "correlationId": "03c9ce48-53ee-47c4-ba40-cd3a701e5edb", "identity": "User30", "Level": 4, "properties": {"id": "PIM_03c9ce48-53ee-47c4-ba40-cd3a701e5edb_MR6VV_117656483", "category": "RoleManagement", "correlationId": "03c9ce48-53ee-47c4-ba40-cd3a701e5edb", "result": "success", "resultReason": "need to work", "activityDisplayName": "Add member to role requested (PIM activation)", "activityDateTime": "2023-04-26T18:59:11.6746394+00:00", "loggedByService": "PIM", "operationType": "CreateRequestRoleActivation", "userAgent": null, "initiatedBy": {"user": {"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": "User30", "userPrincipalName": "User30@splunkresearch.com", "ipAddress": null, "roles": []}}, "targetResources": [{"id": "62e90394-69f5-4237-9190-012177145e10", "displayName": "Global Administrator", "type": "Role", "modifiedProperties": [{"displayName": "RoleDefinitionOriginId", "oldValue": "\"\"", "newValue": "\"62e90394-69f5-4237-9190-012177145e10\""}, {"displayName": "RoleDefinitionOriginType", "oldValue": "\"\"", "newValue": "\"BuiltInRole\""}, {"displayName": "TemplateId", "oldValue": "\"\"", "newValue": "\"62e90394-69f5-4237-9190-012177145e10\""}], "administrativeUnits": []}, {"id": "27557e16-f91f-4ce3-bf3f-d8cb2b16922d", "displayName": null, "type": "Request", "modifiedProperties": [], "administrativeUnits": []}, {"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": "User30", "type": "User", "userPrincipalName": "User30@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}, {"id": "fc69e276-e9e8-4af9-9002-1e410d77244e", "displayName": "Default Directory", "type": "Directory", "modifiedProperties": [], "administrativeUnits": []}, {"id": "00000000-0000-0000-0000-000000000001", "displayName": "Azure AD Directory Roles", "type": "Provider", "modifiedProperties": [], "administrativeUnits": []}, {"id": "d2cfdb54-7c8c-4097-9330-486f3acc30b5", "displayName": null, "type": "RoleSchedule", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "RoleDefinitionOriginId", "value": "62e90394-69f5-4237-9190-012177145e10"}, {"key": "RoleDefinitionOriginType", "value": "BuiltInRole"}, {"key": "TemplateId", "value": "62e90394-69f5-4237-9190-012177145e10"}, {"key": "StartTime", "value": "2023-04-26T18:59:11.6736383Z"}, {"key": "ExpirationTime", "value": "2023-04-27T02:59:11.6736383Z"}, {"key": "Justification", "value": "need to work"}, {"key": "oid", "value": "40b61050-e814-4ae5-8ffe-66b6f0c53998"}, {"key": "tid", "value": "fc69e276-e9e8-4af9-9002-1e410d77244e"}, {"key": "wids", "value": "b79fbf4d-3ef9-4689-8143-76b194e85509"}, {"key": "ipaddr", "value": "72.1.1.1"}]}}
{"time": "2023-04-26T18:58:51.1106531Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "e0340bd1-50b9-4113-9c48-afb348727b49", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "ac57588d-d806-4471-9a0b-073e36874600", "createdDateTime": "2023-04-26T18:58:51.1106531+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "e0340bd1-50b9-4113-9c48-afb348727b49", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "ac57588d-d806-4471-9a0b-073e36874600", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Is Client Capable", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"AccessReview.ReadWrite.All\",\"AuditLog.Read.All\",\"ConsentRequest.ReadWrite.All\",\"Directory.AccessAsUser.All\",\"Directory.Read.All\",\"Directory.ReadWrite.All\",\"email\",\"EntitlementManagement.Read.All\",\"Group.ReadWrite.All\",\"IdentityProvider.ReadWrite.All\",\"IdentityRiskEvent.ReadWrite.All\",\"IdentityUserFlow.Read.All\",\"openid\",\"Policy.Read.All\",\"Policy.ReadWrite.AuthenticationFlows\",\"Policy.ReadWrite.AuthenticationMethod\",\"Policy.ReadWrite.ConditionalAccess\",\"Policy.ReadWrite.MobilityManagement\",\"profile\",\"Reports.Read.All\",\"RoleManagement.ReadWrite.Directory\",\"SecurityEvents.ReadWrite.All\",\"TrustFrameworkKeySet.Read.All\",\"User.Export.All\",\"User.ReadWrite.All\",\"UserAuthenticationMethod.ReadWrite.All\",\"Directory.Write.Restricted\",\"DirectoryRecommendations.Read.All\",\"DirectoryRecommendations.ReadWrite.All\",\"Policy.Read.IdentityProtection\",\"Policy.ReadWrite.ExternalIdentities\",\"Policy.ReadWrite.IdentityProtection\"]"}, {"key": "Is CAE Token", "value": "True"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 141, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:58:51.1106531+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "jVhXrAbYcUSaCwc-NodGAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:58:50.8161543Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "b6ffaca8-b577-49ed-9d6a-c72485a1cfc7", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "cbb18347-0dcc-4317-a63d-049cf71e1c00", "createdDateTime": "2023-04-26T18:58:50.8161543+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "50aaa389-5a33-4f1a-91d7-2c45ecd8dac8", "appDisplayName": "Microsoft_Azure_PIMCommon", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "b6ffaca8-b577-49ed-9d6a-c72485a1cfc7", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "cbb18347-0dcc-4317-a63d-049cf71e1c00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 130, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "IAM Supportability", "resourceId": "a57aca87-cbc0-4f3c-8b9e-dc095fdc8978", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:58:50.8161543+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "R4Oxy8wNF0OmPQSc9x4cAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "592cad50-5996-4875-b604-d21539fa4483", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:58:50.5824078Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "305bf1e1-86c5-4ae2-87c9-3b68a42c7594", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "f6abdda7-ce83-4af3-a263-f48e94803300", "createdDateTime": "2023-04-26T18:58:50.5824078+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "50aaa389-5a33-4f1a-91d7-2c45ecd8dac8", "appDisplayName": "Microsoft_Azure_PIMCommon", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "305bf1e1-86c5-4ae2-87c9-3b68a42c7594", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "f6abdda7-ce83-4af3-a263-f48e94803300", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 67, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "MS-PIM", "resourceId": "01fc33a7-78ba-4d2f-a4b7-768e336e890e", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:58:50.5824078+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "p92r9oPO80qiY_SOlIAzAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "26439afb-f5b9-4e51-a821-05b24506b262", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:58:50.2261853Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "42eec92b-3a32-4205-8a96-1be5bb3063ee", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "4df2a1af-9010-4b94-9b9d-a39bdc730200", "createdDateTime": "2023-04-26T18:58:50.2261853+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "42eec92b-3a32-4205-8a96-1be5bb3063ee", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "4df2a1af-9010-4b94-9b9d-a39bdc730200", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Is Client Capable", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 94, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:58:50.2261853+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "r6HyTRCQlEubnaOb3HMCAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:58:43.0724607Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add eligible member to role in PIM completed (timebound)", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "08af7625-77b8-4761-a9d2-af10de62d13c", "identity": "Splunk Threat Research", "Level": 4, "properties": {"id": "PIM_08af7625-77b8-4761-a9d2-af10de62d13c_50FS4_125675310", "category": "RoleManagement", "correlationId": "08af7625-77b8-4761-a9d2-af10de62d13c", "result": "success", "resultReason": null, "activityDisplayName": "Add eligible member to role in PIM completed (timebound)", "activityDateTime": "2023-04-26T18:58:43.0724607+00:00", "loggedByService": "PIM", "operationType": "AssignEligibleRole", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": "Splunk Threat Research", "userPrincipalName": "", "ipAddress": null, "roles": []}}, "targetResources": [{"id": "62e90394-69f5-4237-9190-012177145e10", "displayName": "Global Administrator", "type": "Role", "modifiedProperties": [{"displayName": "RoleDefinitionOriginId", "oldValue": "\"\"", "newValue": "\"62e90394-69f5-4237-9190-012177145e10\""}, {"displayName": "RoleDefinitionOriginType", "oldValue": "\"\"", "newValue": "\"BuiltInRole\""}, {"displayName": "TemplateId", "oldValue": "\"\"", "newValue": "\"62e90394-69f5-4237-9190-012177145e10\""}], "administrativeUnits": []}, {"id": "d2cfdb54-7c8c-4097-9330-486f3acc30b5", "displayName": null, "type": "Request", "modifiedProperties": [], "administrativeUnits": []}, {"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": "User30", "type": "User", "userPrincipalName": "User30@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}, {"id": "fc69e276-e9e8-4af9-9002-1e410d77244e", "displayName": "Default Directory", "type": "Directory", "modifiedProperties": [], "administrativeUnits": []}, {"id": "00000000-0000-0000-0000-000000000001", "displayName": "Azure AD Directory Roles", "type": "Provider", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "RoleDefinitionOriginId", "value": "62e90394-69f5-4237-9190-012177145e10"}, {"key": "RoleDefinitionOriginType", "value": "BuiltInRole"}, {"key": "TemplateId", "value": "62e90394-69f5-4237-9190-012177145e10"}, {"key": "StartTime", "value": "2023-04-26T18:58:42.6654542Z"}, {"key": "ExpirationTime", "value": "2024-04-25T18:58:21.8460000Z"}, {"key": "oid", "value": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce"}, {"key": "tid", "value": "fc69e276-e9e8-4af9-9002-1e410d77244e"}, {"key": "wids", "value": "62e90394-69f5-4237-9190-012177145e10,b79fbf4d-3ef9-4689-8143-76b194e85509"}, {"key": "ipaddr", "value": "72.1.1.1"}]}}
{"time": "2023-04-26T18:58:42.8926082Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add eligible member to role", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "52.167.72.132", "correlationId": "80c06cc7-7fe6-4adb-a473-8bcd335f06fa", "identity": "MS-PIM", "Level": 4, "properties": {"id": "Directory_80c06cc7-7fe6-4adb-a473-8bcd335f06fa_0E8N9_68354177", "category": "RoleManagement", "correlationId": "80c06cc7-7fe6-4adb-a473-8bcd335f06fa", "result": "success", "resultReason": "", "activityDisplayName": "Add eligible member to role", "activityDateTime": "2023-04-26T18:58:42.8926082+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"app": {"appId": null, "displayName": "MS-PIM", "servicePrincipalId": "26439afb-f5b9-4e51-a821-05b24506b262", "servicePrincipalName": null}}, "targetResources": [{"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": null, "type": "User", "userPrincipalName": "User30@splunkresearch.com", "modifiedProperties": [{"displayName": "Role.ObjectID", "oldValue": null, "newValue": "\"4c609f03-ed46-4684-8ce9-40b7d632fbe1\""}, {"displayName": "Role.DisplayName", "oldValue": null, "newValue": "\"Global Administrator\""}, {"displayName": "Role.TemplateId", "oldValue": null, "newValue": "\"62e90394-69f5-4237-9190-012177145e10\""}, {"displayName": "Role.WellKnownObjectName", "oldValue": null, "newValue": "\"TenantAdmins\""}], "administrativeUnits": []}, {"id": "4c609f03-ed46-4684-8ce9-40b7d632fbe1", "displayName": null, "type": "Role", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Microsoft Azure Graph Client Library 2.1.26-internal"}]}}
{"time": "2023-04-26T18:58:42.3594479Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add eligible member to role in PIM requested (timebound)", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "08af7625-77b8-4761-a9d2-af10de62d13c", "identity": "Splunk Threat Research", "Level": 4, "properties": {"id": "PIM_08af7625-77b8-4761-a9d2-af10de62d13c_50FS4_125674408", "category": "RoleManagement", "correlationId": "08af7625-77b8-4761-a9d2-af10de62d13c", "result": "success", "resultReason": null, "activityDisplayName": "Add eligible member to role in PIM requested (timebound)", "activityDateTime": "2023-04-26T18:58:42.3594479+00:00", "loggedByService": "PIM", "operationType": "CreateRequestEligibleRole", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": "Splunk Threat Research", "userPrincipalName": "", "ipAddress": null, "roles": []}}, "targetResources": [{"id": "62e90394-69f5-4237-9190-012177145e10", "displayName": "Global Administrator", "type": "Role", "modifiedProperties": [{"displayName": "RoleDefinitionOriginId", "oldValue": "\"\"", "newValue": "\"62e90394-69f5-4237-9190-012177145e10\""}, {"displayName": "RoleDefinitionOriginType", "oldValue": "\"\"", "newValue": "\"BuiltInRole\""}, {"displayName": "TemplateId", "oldValue": "\"\"", "newValue": "\"62e90394-69f5-4237-9190-012177145e10\""}], "administrativeUnits": []}, {"id": "d2cfdb54-7c8c-4097-9330-486f3acc30b5", "displayName": null, "type": "Request", "modifiedProperties": [], "administrativeUnits": []}, {"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": "User30", "type": "User", "userPrincipalName": "User30@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}, {"id": "fc69e276-e9e8-4af9-9002-1e410d77244e", "displayName": "Default Directory", "type": "Directory", "modifiedProperties": [], "administrativeUnits": []}, {"id": "00000000-0000-0000-0000-000000000001", "displayName": "Azure AD Directory Roles", "type": "Provider", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "RoleDefinitionOriginId", "value": "62e90394-69f5-4237-9190-012177145e10"}, {"key": "RoleDefinitionOriginType", "value": "BuiltInRole"}, {"key": "TemplateId", "value": "62e90394-69f5-4237-9190-012177145e10"}, {"key": "StartTime", "value": "2023-04-26T18:58:21.8460000Z"}, {"key": "ExpirationTime", "value": "2024-04-25T18:58:21.8460000Z"}, {"key": "oid", "value": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce"}, {"key": "tid", "value": "fc69e276-e9e8-4af9-9002-1e410d77244e"}, {"key": "wids", "value": "62e90394-69f5-4237-9190-012177145e10,b79fbf4d-3ef9-4689-8143-76b194e85509"}, {"key": "ipaddr", "value": "72.1.1.1"}]}}
{"time": "2023-04-26T18:58:30.8681867Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "b4752b54-676a-4c04-b21f-5725079e8d63", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "8ea7ad91-1396-490c-816b-78d739944f00", "createdDateTime": "2023-04-26T18:58:30.8681867+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "b4752b54-676a-4c04-b21f-5725079e8d63", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "8ea7ad91-1396-490c-816b-78d739944f00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 170, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "ka2njpYTDEmBa3jXOZRPAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:58:20.2480170Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "c0277797-f7c9-44d1-8509-70d70dc3e718", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "1aa2ae6e-955a-42aa-a6c6-c0b9e4c64000", "createdDateTime": "2023-04-26T18:58:20.248017+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "c0277797-f7c9-44d1-8509-70d70dc3e718", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "1aa2ae6e-955a-42aa-a6c6-c0b9e4c64000", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 106, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:58:20.248017+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "bq6iGlqVqkKmxsC55MZAAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:58:19.4755812Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "632085dc-3f56-4230-b4d3-bb388b377825", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "f6abdda7-ce83-4af3-a263-f48e4f7d3300", "createdDateTime": "2023-04-26T18:58:19.4755812+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "632085dc-3f56-4230-b4d3-bb388b377825", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "f6abdda7-ce83-4af3-a263-f48e4f7d3300", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 109, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:58:19.4755812+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "p92r9oPO80qiY_SOT30zAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:58:18.0247574Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "9e9094ee-3099-489f-a392-9a43a099cc22", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "1fa05da1-a4a5-4aeb-9dd3-4c6c0d6c6800", "createdDateTime": "2023-04-26T18:58:18.0247574+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.46.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "9e9094ee-3099-489f-a392-9a43a099cc22", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "1fa05da1-a4a5-4aeb-9dd3-4c6c0d6c6800", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"email\",\"openid\",\"Organization.Read.All\",\"Policy.ReadWrite.ApplicationConfiguration\",\"profile\",\"User.Read\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 115, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:58:18.0247574+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "oV2gH6Wk60qd00xsDWxoAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:58:17.1405792Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "2c7309fd-b81c-48c7-9c0f-9799c553c06b", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "ee63fd0c-8a6f-4025-92e9-0a6d441c3f00", "createdDateTime": "2023-04-26T18:58:17.1405792+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.46.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "2c7309fd-b81c-48c7-9c0f-9799c553c06b", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "ee63fd0c-8a6f-4025-92e9-0a6d441c3f00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 179, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:58:17.1405792+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "DP1j7m-KJUCS6QptRBw_AA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:58:15.6962697Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "c1517e2e-8483-4a09-b6ee-3155101d2800", "createdDateTime": "2023-04-26T18:58:15.6962697+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "c1517e2e-8483-4a09-b6ee-3155101d2800", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 194, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:58:15.6962697+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "alternateSignInName": "user30@splunkresearch.com", "signInIdentifier": "user30@splunkresearch.com", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "Ln5RwYOECUq27jFVEB0oAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "4/26/2023 6:58:15 PM", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/microsoft.aadiam", "operationName": "Risky user", "operationVersion": "1.0", "category": "RiskyUsers", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "identity": "user30", "Level": 4, "location": "wus", "properties": {"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "userDisplayName": "User30", "userPrincipalName": "User30@splunkresearch.com", "riskLastUpdatedDateTime": "2023-04-26T18:58:15.000Z", "riskState": "remediated", "riskDetail": "userPerformedSecuredPasswordChange", "riskLevel": "none", "isGuest": false, "isDeleted": false, "isProcessing": false}}
{"time": "2023-04-26T18:58:14.0435572Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Change password (self-service)", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "resultDescription": "None", "durationMs": 0, "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "Level": 4, "properties": {"id": "SSPR_a05afc92-04ce-4582-9dc8-ecb67464c425_O2DEO_21191240", "category": "UserManagement", "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "result": "success", "resultReason": "None", "activityDisplayName": "Change password (self-service)", "activityDateTime": "2023-04-26T18:58:14.0435572+00:00", "loggedByService": "Self-service Password Management", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": null, "userPrincipalName": "User30@splunkresearch.com", "ipAddress": "", "roles": []}}, "targetResources": [{"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": "User30", "type": "User", "userPrincipalName": "User30@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "OnPremisesAgent", "value": "None"}]}}
{"time": "2023-04-26T18:58:14.0382414Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Update StsRefreshTokenValidFrom Timestamp", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "dc022ef4-cc24-4941-b42a-0c71e155ff6d", "Level": 4, "properties": {"id": "Directory_dc022ef4-cc24-4941-b42a-0c71e155ff6d_EJ299_97918224", "category": "UserManagement", "correlationId": "dc022ef4-cc24-4941-b42a-0c71e155ff6d", "result": "success", "resultReason": "", "activityDisplayName": "Update StsRefreshTokenValidFrom Timestamp", "activityDateTime": "2023-04-26T18:58:14.0382414+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": null, "userPrincipalName": "User30@splunkresearch.com", "ipAddress": "", "roles": []}}, "targetResources": [{"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": null, "type": "User", "userPrincipalName": "User30@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": []}}
{"time": "2023-04-26T18:58:14.0372421Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Change user password", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "dc022ef4-cc24-4941-b42a-0c71e155ff6d", "Level": 4, "properties": {"id": "Directory_dc022ef4-cc24-4941-b42a-0c71e155ff6d_EJ299_97918215", "category": "UserManagement", "correlationId": "dc022ef4-cc24-4941-b42a-0c71e155ff6d", "result": "success", "resultReason": "", "activityDisplayName": "Change user password", "activityDateTime": "2023-04-26T18:58:14.0372421+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": null, "userPrincipalName": "User30@splunkresearch.com", "ipAddress": "", "roles": []}}, "targetResources": [{"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": null, "type": "User", "userPrincipalName": "User30@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": []}}
{"time": "2023-04-26T18:58:04.8972964Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "50055", "resultSignature": "None", "resultDescription": "Invalid password, entered expired password.", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "25063ff0-b4f1-4303-b524-e4d88b353d00", "createdDateTime": "2023-04-26T18:58:04.8972964+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 50055, "failureReason": "Invalid password, entered expired password.", "additionalDetails": "MFA completed in Azure AD"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {"authMethod": "Mobile app notification", "authDetail": "+X XXXXXXXX93"}, "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "25063ff0-b4f1-4303-b524-e4d88b353d00", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 281, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:58:04.8972964+00:00", "authenticationMethod": "Password", "authenticationMethodDetail": "Password in the cloud", "succeeded": true, "authenticationStepResultDetail": "Correct password", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 1}, {"authenticationStepDateTime": "2023-04-26T18:58:04+00:00", "authenticationMethod": "Mobile app notification", "succeeded": true, "authenticationStepResultDetail": "MFA successfully completed", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 1682535484224, "RequestSequence": 1682535474882}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "alternateSignInName": "user30@splunkresearch.com", "signInIdentifier": "user30@splunkresearch.com", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "8D8GJfG0A0O1JOTYizU9AA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:58:04.8972964Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "50055", "resultSignature": "None", "resultDescription": "Invalid password, entered expired password.", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "25063ff0-b4f1-4303-b524-e4d88b353d00", "createdDateTime": "2023-04-26T18:58:04.8972964+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 50055, "failureReason": "Invalid password, entered expired password.", "additionalDetails": "MFA completed in Azure AD"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {"authMethod": "Mobile app notification", "authDetail": "+X XXXXXXXX93"}, "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "25063ff0-b4f1-4303-b524-e4d88b353d00", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 281, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:58:04+00:00", "authenticationMethod": "Mobile app notification", "succeeded": true, "authenticationStepResultDetail": "MFA successfully completed", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 1682535484224, "RequestSequence": 1682535474882}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "alternateSignInName": "user30@splunkresearch.com", "signInIdentifier": "user30@splunkresearch.com", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "8D8GJfG0A0O1JOTYizU9AA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:58:04.8972964Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "50055", "resultSignature": "None", "resultDescription": "Invalid password, entered expired password.", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "25063ff0-b4f1-4303-b524-e4d88b353d00", "createdDateTime": "2023-04-26T18:58:04.8972964+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 50055, "failureReason": "Invalid password, entered expired password.", "additionalDetails": "MFA completed in Azure AD"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {"authMethod": "Mobile app notification", "authDetail": "+X XXXXXXXX93"}, "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "25063ff0-b4f1-4303-b524-e4d88b353d00", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 281, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:58:04.8972964+00:00", "authenticationMethod": "Mobile app notification", "succeeded": true, "authenticationStepResultDetail": "MFA completed in Azure AD", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "alternateSignInName": "user30@splunkresearch.com", "signInIdentifier": "user30@splunkresearch.com", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "8D8GJfG0A0O1JOTYizU9AA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:58:04.8972964Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "50055", "resultSignature": "None", "resultDescription": "Invalid password, entered expired password.", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "25063ff0-b4f1-4303-b524-e4d88b353d00", "createdDateTime": "2023-04-26T18:58:04.8972964+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 50055, "failureReason": "Invalid password, entered expired password.", "additionalDetails": "MFA completed in Azure AD"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {"authMethod": "Mobile app notification", "authDetail": "+X XXXXXXXX93"}, "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "25063ff0-b4f1-4303-b524-e4d88b353d00", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 281, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:58:00+00:00", "authenticationMethod": "Mobile app notification", "succeeded": false, "authenticationStepResultDetail": "Authentication in progress", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 1682535480523, "RequestSequence": 1682535474882}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "alternateSignInName": "user30@splunkresearch.com", "signInIdentifier": "user30@splunkresearch.com", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "8D8GJfG0A0O1JOTYizU9AA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:58:04.4432963Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Update user", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "40.126.27.96", "correlationId": "41a83170-947e-48e0-88a4-f8faf283efcd", "identity": "Azure MFA StrongAuthenticationService", "Level": 4, "properties": {"id": "Directory_41a83170-947e-48e0-88a4-f8faf283efcd_8QU62_120505071", "category": "UserManagement", "correlationId": "41a83170-947e-48e0-88a4-f8faf283efcd", "result": "success", "resultReason": "", "activityDisplayName": "Update user", "activityDateTime": "2023-04-26T18:58:04.4432963+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"app": {"appId": null, "displayName": "Azure MFA StrongAuthenticationService", "servicePrincipalId": "a710de13-e27c-48de-8a4c-09acdbd54efb", "servicePrincipalName": null}}, "targetResources": [{"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": null, "type": "User", "userPrincipalName": "User30@splunkresearch.com", "modifiedProperties": [{"displayName": "StrongAuthenticationPhoneAppDetail", "oldValue": "[{\"DeviceName\":\"iPhone\",\"DeviceToken\":\"apns2-315bda511c965fa511e658a9b5afe1481667ae0b694ee14f9ef6d6bb3ad51432\",\"DeviceTag\":\"SoftwareTokenActivated\",\"PhoneAppVersion\":\"6.7.2\",\"OathTokenTimeDrift\":-1,\"DeviceId\":\"00000000-0000-0000-0000-000000000000\",\"Id\":\"38d744f2-3bf6-41d0-b6be-c2dfcf2e5d31\",\"TimeInterval\":0,\"AuthenticationType\":3,\"NotificationType\":2,\"LastAuthenticatedTimestamp\":\"2023-01-24T23:13:40.8952075Z\",\"AuthenticatorFlavor\":null,\"HashFunction\":null,\"TenantDeviceId\":null,\"SecuredPartitionId\":0,\"SecuredKeyId\":0}]", "newValue": "[{\"DeviceName\":\"iPhone\",\"DeviceToken\":\"apns2-315bda511c965fa511e658a9b5afe1481667ae0b694ee14f9ef6d6bb3ad51432\",\"DeviceTag\":\"SoftwareTokenActivated\",\"PhoneAppVersion\":\"6.7.7\",\"OathTokenTimeDrift\":0,\"DeviceId\":\"00000000-0000-0000-0000-000000000000\",\"Id\":\"38d744f2-3bf6-41d0-b6be-c2dfcf2e5d31\",\"TimeInterval\":0,\"AuthenticationType\":3,\"NotificationType\":2,\"LastAuthenticatedTimestamp\":\"2023-04-26T18:58:04.2709726Z\",\"AuthenticatorFlavor\":null,\"HashFunction\":null,\"TenantDeviceId\":null,\"SecuredPartitionId\":0,\"SecuredKeyId\":0}]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"StrongAuthenticationPhoneAppDetail\""}, {"displayName": "TargetId.UserType", "oldValue": null, "newValue": "\"Member\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "UserType", "value": "Member"}]}}
{"time": "2023-04-26T18:57:55.7544487Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "50074", "resultSignature": "None", "resultDescription": "Strong Authentication is required.", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "identity": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "Level": 4, "properties": {"id": "25063ff0-b4f1-4303-b524-e4d88b353d00", "createdDateTime": "2023-04-26T18:57:55.7544487+00:00", "userDisplayName": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "userPrincipalName": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 50074, "failureReason": "Strong Authentication is required."}, "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "OSX", "browser": "Chrome 112.0.0"}, "location": {"geoCoordinates": {}}, "mfaDetail": {"authMethod": "Mobile app notification"}, "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "25063ff0-b4f1-4303-b524-e4d88b353d00", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 970, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "8D8GJfG0A0O1JOTYizU9AA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:57:47.0358840Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Reset password (by admin)", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "resultDescription": "None", "durationMs": 0, "callerIpAddress": "52.177.250.168", "correlationId": "899a8d7a-c7f6-42a0-bf35-3ac36ba5e003", "Level": 4, "properties": {"id": "SSPR_899a8d7a-c7f6-42a0-bf35-3ac36ba5e003_I39MU_16887905", "category": "UserManagement", "correlationId": "899a8d7a-c7f6-42a0-bf35-3ac36ba5e003", "result": "success", "resultReason": "None", "activityDisplayName": "Reset password (by admin)", "activityDateTime": "2023-04-26T18:57:47.035884+00:00", "loggedByService": "Self-service Password Management", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": null, "userPrincipalName": "strt_admin@splunkresearch.com", "ipAddress": "52.177.250.168", "roles": []}}, "targetResources": [{"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": "User30", "type": "User", "userPrincipalName": "User30@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "OnPremisesAgent", "value": "None"}]}}
{"time": "2023-04-26T18:57:47.0276370Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Update StsRefreshTokenValidFrom Timestamp", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "217e163a-385e-4cfd-9831-6ff47e9803ea", "Level": 4, "properties": {"id": "Directory_217e163a-385e-4cfd-9831-6ff47e9803ea_XOFP4_68427948", "category": "UserManagement", "correlationId": "217e163a-385e-4cfd-9831-6ff47e9803ea", "result": "success", "resultReason": "", "activityDisplayName": "Update StsRefreshTokenValidFrom Timestamp", "activityDateTime": "2023-04-26T18:57:47.027637+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "00000000-0000-0000-0000-000000000000", "displayName": null, "userPrincipalName": "fim_password_service@support.onmicrosoft.com", "ipAddress": "", "roles": []}}, "targetResources": [{"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": null, "type": "User", "userPrincipalName": "User30@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": []}}
{"time": "2023-04-26T18:57:47.0206389Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Reset user password", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "217e163a-385e-4cfd-9831-6ff47e9803ea", "Level": 4, "properties": {"id": "Directory_217e163a-385e-4cfd-9831-6ff47e9803ea_XOFP4_68427932", "category": "UserManagement", "correlationId": "217e163a-385e-4cfd-9831-6ff47e9803ea", "result": "success", "resultReason": "", "activityDisplayName": "Reset user password", "activityDateTime": "2023-04-26T18:57:47.0206389+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "00000000-0000-0000-0000-000000000000", "displayName": null, "userPrincipalName": "fim_password_service@support.onmicrosoft.com", "ipAddress": "", "roles": []}}, "targetResources": [{"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": null, "type": "User", "userPrincipalName": "User30@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": []}}
{"time": "4/26/2023 6:57:47 PM", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/microsoft.aadiam", "operationName": "Risky user", "operationVersion": "1.0", "category": "RiskyUsers", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "identity": "user30", "Level": 4, "location": "eus", "properties": {"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "userDisplayName": "User30", "userPrincipalName": "User30@splunkresearch.com", "riskLastUpdatedDateTime": "2023-04-26T18:57:47.035Z", "riskState": "remediated", "riskDetail": "adminGeneratedTemporaryPassword", "riskLevel": "none", "isGuest": false, "isDeleted": false, "isProcessing": false}}
{"time": "2023-04-26T18:57:46.5618175Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "899a8d7a-c7f6-42a0-bf35-3ac36ba5e003", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "4cf3a517-7710-4716-87a0-86353d8d3100", "createdDateTime": "2023-04-26T18:57:46.5618175+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "93625bc8-bfe2-437a-97e0-3d0060024faa", "appDisplayName": "Microsoft password reset service", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.31.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "899a8d7a-c7f6-42a0-bf35-3ac36ba5e003", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "4cf3a517-7710-4716-87a0-86353d8d3100", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 164, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "F6XzTBB3FkeHoIY1PY0xAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:57:45.2941001Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "0c49938b-a7b6-49de-ba85-0bcf995bb4ae", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "df0fee0b-741a-4041-9f97-e678c6a74600", "createdDateTime": "2023-04-26T18:57:45.2941001+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "0c49938b-a7b6-49de-ba85-0bcf995bb4ae", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "df0fee0b-741a-4041-9f97-e678c6a74600", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 162, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft password reset service", "resourceId": "93625bc8-bfe2-437a-97e0-3d0060024faa", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "C-4P3xp0QUCfl-Z4xqdGAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "8577c051-38ce-417d-8aed-3d6ae0009a0c", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:57:43.0347774Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "899a8d7a-c7f6-42a0-bf35-3ac36ba5e000", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "2ef93c02-240e-4452-9f62-a6519c375400", "createdDateTime": "2023-04-26T18:57:43.0347774+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "93625bc8-bfe2-437a-97e0-3d0060024faa", "appDisplayName": "Microsoft password reset service", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.31.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "899a8d7a-c7f6-42a0-bf35-3ac36ba5e000", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "2ef93c02-240e-4452-9f62-a6519c375400", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 145, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "Ajz5Lg4kUkSfYqZRnDdUAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:57:42.1587774Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "943b2455-b5f4-47a0-a8e7-409635ebc486", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "1ded59e4-56a1-464a-8635-cce0a46a6000", "createdDateTime": "2023-04-26T18:57:42.1587774+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "943b2455-b5f4-47a0-a8e7-409635ebc486", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "1ded59e4-56a1-464a-8635-cce0a46a6000", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 79, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft password reset service", "resourceId": "93625bc8-bfe2-437a-97e0-3d0060024faa", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "5FntHaFWSkaGNczgpGpgAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "8577c051-38ce-417d-8aed-3d6ae0009a0c", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:57:36.3389974Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "cec06abf-27c2-4957-b27d-30a1d3e7b909", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "453ea19a-22d0-4444-852e-1b3e8e964000", "createdDateTime": "2023-04-26T18:57:36.3389974+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "cec06abf-27c2-4957-b27d-30a1d3e7b909", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "453ea19a-22d0-4444-852e-1b3e8e964000", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 112, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "mqE-RdAiRESFLhs-jpZAAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:57:35.7483568Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "c8fe70aa-a2f4-473d-b9a2-146c5c978486", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "011ff3fe-f723-4ebb-b9bd-0a0e54654e00", "createdDateTime": "2023-04-26T18:57:35.7483568+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.46.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "c8fe70aa-a2f4-473d-b9a2-146c5c978486", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "011ff3fe-f723-4ebb-b9bd-0a0e54654e00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"email\",\"openid\",\"Organization.Read.All\",\"Policy.ReadWrite.ApplicationConfiguration\",\"profile\",\"User.Read\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 369, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "_vMfASP3u065vQoOVGVOAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:57:34.7888065Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Reset password (by admin)", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "resultDescription": "None", "durationMs": 0, "callerIpAddress": "52.177.250.168", "correlationId": "a596f009-b95a-434b-9d57-151d71a9d012", "Level": 4, "properties": {"id": "SSPR_a596f009-b95a-434b-9d57-151d71a9d012_Y128V_19484715", "category": "UserManagement", "correlationId": "a596f009-b95a-434b-9d57-151d71a9d012", "result": "success", "resultReason": "None", "activityDisplayName": "Reset password (by admin)", "activityDateTime": "2023-04-26T18:57:34.7888065+00:00", "loggedByService": "Self-service Password Management", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": null, "userPrincipalName": "strt_admin@splunkresearch.com", "ipAddress": "52.177.250.168", "roles": []}}, "targetResources": [{"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": "User30", "type": "User", "userPrincipalName": "User30@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "OnPremisesAgent", "value": "None"}]}}
{"time": "2023-04-26T18:57:34.7772255Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Update StsRefreshTokenValidFrom Timestamp", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "4f0ebe1e-e90d-4b19-a285-4992556b6415", "Level": 4, "properties": {"id": "Directory_4f0ebe1e-e90d-4b19-a285-4992556b6415_5YUA8_78316574", "category": "UserManagement", "correlationId": "4f0ebe1e-e90d-4b19-a285-4992556b6415", "result": "success", "resultReason": "", "activityDisplayName": "Update StsRefreshTokenValidFrom Timestamp", "activityDateTime": "2023-04-26T18:57:34.7772255+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "00000000-0000-0000-0000-000000000000", "displayName": null, "userPrincipalName": "fim_password_service@support.onmicrosoft.com", "ipAddress": "", "roles": []}}, "targetResources": [{"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": null, "type": "User", "userPrincipalName": "User30@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": []}}
{"time": "2023-04-26T18:57:34.7652306Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Reset user password", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "4f0ebe1e-e90d-4b19-a285-4992556b6415", "Level": 4, "properties": {"id": "Directory_4f0ebe1e-e90d-4b19-a285-4992556b6415_5YUA8_78316556", "category": "UserManagement", "correlationId": "4f0ebe1e-e90d-4b19-a285-4992556b6415", "result": "success", "resultReason": "", "activityDisplayName": "Reset user password", "activityDateTime": "2023-04-26T18:57:34.7652306+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "00000000-0000-0000-0000-000000000000", "displayName": null, "userPrincipalName": "fim_password_service@support.onmicrosoft.com", "ipAddress": "", "roles": []}}, "targetResources": [{"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": null, "type": "User", "userPrincipalName": "User30@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": []}}
{"time": "2023-04-26T18:57:32.4254859Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a596f009-b95a-434b-9d57-151d71a9d010", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "8430720d-96d6-4920-b70a-b6aa25474b00", "createdDateTime": "2023-04-26T18:57:32.4254859+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "93625bc8-bfe2-437a-97e0-3d0060024faa", "appDisplayName": "Microsoft password reset service", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.31.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "a596f009-b95a-434b-9d57-151d71a9d010", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "8430720d-96d6-4920-b70a-b6aa25474b00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 158, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "DXIwhNaWIEm3CraqJUdLAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:57:31.5804230Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "116ed465-0cc9-4334-a4b9-ea6317eba8ee", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "e5db062a-ab47-4378-90e9-c173d65f5300", "createdDateTime": "2023-04-26T18:57:31.580423+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "116ed465-0cc9-4334-a4b9-ea6317eba8ee", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "e5db062a-ab47-4378-90e9-c173d65f5300", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 80, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft password reset service", "resourceId": "93625bc8-bfe2-437a-97e0-3d0060024faa", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "Kgbb5UereEOQ6cFz1l9TAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "8577c051-38ce-417d-8aed-3d6ae0009a0c", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:57:31.3777666Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "3c8cab4e-6d40-4668-b4e7-ee7dcfe58288", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "f0b1b1bc-a995-486a-a006-305611214e00", "createdDateTime": "2023-04-26T18:57:31.3777666+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "3c8cab4e-6d40-4668-b4e7-ee7dcfe58288", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "f0b1b1bc-a995-486a-a006-305611214e00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 93, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "vLGx8JWpakigBjBWESFOAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:57:31.3479104Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "c8606a94-ddaf-477b-85fe-4f38ace8dbf8", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "956cda47-874c-441c-a574-916168eb5100", "createdDateTime": "2023-04-26T18:57:31.3479104+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "c8606a94-ddaf-477b-85fe-4f38ace8dbf8", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "956cda47-874c-441c-a574-916168eb5100", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 74, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "R9pslUyHHESldJFhaOtRAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:56:06.1214372Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.91.19", "correlationId": "9b80e788-f982-4208-8d17-43b8a5b4552f", "Level": 4, "location": "US", "properties": {"id": "9f5d2dfa-8c1c-427a-8968-604665de5c00", "createdDateTime": "2023-04-26T18:56:06.1214372+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.91.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "9b80e788-f982-4208-8d17-43b8a5b4552f", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "-i1dnxyMekKJaGBGZd5cAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:55:56.2982803Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Remove eligible member from role in PIM completed (timebound)", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "d4cbe526-ba66-4f39-97d4-899ccd4cc2c5", "identity": "Splunk Threat Research", "Level": 4, "properties": {"id": "PIM_d4cbe526-ba66-4f39-97d4-899ccd4cc2c5_MR6VV_117464544", "category": "RoleManagement", "correlationId": "d4cbe526-ba66-4f39-97d4-899ccd4cc2c5", "result": "success", "resultReason": null, "activityDisplayName": "Remove eligible member from role in PIM completed (timebound)", "activityDateTime": "2023-04-26T18:55:56.2982803+00:00", "loggedByService": "PIM", "operationType": "AdminRemoveEligibleRole", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": "Splunk Threat Research", "userPrincipalName": "", "ipAddress": null, "roles": []}}, "targetResources": [{"id": "62e90394-69f5-4237-9190-012177145e10", "displayName": "Global Administrator", "type": "Role", "modifiedProperties": [{"displayName": "RoleDefinitionOriginId", "oldValue": "\"\"", "newValue": "\"62e90394-69f5-4237-9190-012177145e10\""}, {"displayName": "RoleDefinitionOriginType", "oldValue": "\"\"", "newValue": "\"BuiltInRole\""}, {"displayName": "TemplateId", "oldValue": "\"\"", "newValue": "\"62e90394-69f5-4237-9190-012177145e10\""}], "administrativeUnits": []}, {"id": "lAPpYvVpN0KRkAEhdxReEEs8K25fIbJPpXgouplavRs-1-e", "displayName": null, "type": "RoleAssignment", "modifiedProperties": [], "administrativeUnits": []}, {"id": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "displayName": "User10", "type": "User", "userPrincipalName": "User10@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}, {"id": "fc69e276-e9e8-4af9-9002-1e410d77244e", "displayName": "Default Directory", "type": "Directory", "modifiedProperties": [], "administrativeUnits": []}, {"id": "00000000-0000-0000-0000-000000000001", "displayName": "Azure AD Directory Roles", "type": "Provider", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "RoleDefinitionOriginId", "value": "62e90394-69f5-4237-9190-012177145e10"}, {"key": "RoleDefinitionOriginType", "value": "BuiltInRole"}, {"key": "TemplateId", "value": "62e90394-69f5-4237-9190-012177145e10"}, {"key": "oid", "value": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce"}, {"key": "tid", "value": "fc69e276-e9e8-4af9-9002-1e410d77244e"}, {"key": "wids", "value": "62e90394-69f5-4237-9190-012177145e10,b79fbf4d-3ef9-4689-8143-76b194e85509"}, {"key": "ipaddr", "value": "72.1.1.1"}]}}
{"time": "2023-04-26T18:55:56.2409297Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Remove eligible member from role", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "52.167.72.132", "correlationId": "84334391-44e6-4ce5-805c-5c0f77136772", "identity": "MS-PIM", "Level": 4, "properties": {"id": "Directory_84334391-44e6-4ce5-805c-5c0f77136772_ATBCK_273168695", "category": "RoleManagement", "correlationId": "84334391-44e6-4ce5-805c-5c0f77136772", "result": "success", "resultReason": "", "activityDisplayName": "Remove eligible member from role", "activityDateTime": "2023-04-26T18:55:56.2409297+00:00", "loggedByService": "Core Directory", "operationType": "Unassign", "userAgent": null, "initiatedBy": {"app": {"appId": null, "displayName": "MS-PIM", "servicePrincipalId": "26439afb-f5b9-4e51-a821-05b24506b262", "servicePrincipalName": null}}, "targetResources": [{"id": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "displayName": null, "type": "User", "userPrincipalName": "User10@splunkresearch.com", "modifiedProperties": [{"displayName": "Role.ObjectID", "oldValue": "\"4c609f03-ed46-4684-8ce9-40b7d632fbe1\"", "newValue": null}, {"displayName": "Role.DisplayName", "oldValue": "\"Global Administrator\"", "newValue": null}, {"displayName": "Role.TemplateId", "oldValue": "\"62e90394-69f5-4237-9190-012177145e10\"", "newValue": null}, {"displayName": "Role.WellKnownObjectName", "oldValue": "\"TenantAdmins\"", "newValue": null}], "administrativeUnits": []}, {"id": "4c609f03-ed46-4684-8ce9-40b7d632fbe1", "displayName": null, "type": "Role", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Microsoft Azure Graph Client Library 2.1.26-internal"}]}}
{"time": "2023-04-26T18:55:55.6965254Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Remove eligible member from role in PIM requested (timebound)", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "d4cbe526-ba66-4f39-97d4-899ccd4cc2c5", "identity": "Splunk Threat Research", "Level": 4, "properties": {"id": "PIM_d4cbe526-ba66-4f39-97d4-899ccd4cc2c5_MR6VV_117463852", "category": "RoleManagement", "correlationId": "d4cbe526-ba66-4f39-97d4-899ccd4cc2c5", "result": "success", "resultReason": null, "activityDisplayName": "Remove eligible member from role in PIM requested (timebound)", "activityDateTime": "2023-04-26T18:55:55.6965254+00:00", "loggedByService": "PIM", "operationType": "CreateRequestEligibleRoleRemoval", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": "Splunk Threat Research", "userPrincipalName": "", "ipAddress": null, "roles": []}}, "targetResources": [{"id": "62e90394-69f5-4237-9190-012177145e10", "displayName": "Global Administrator", "type": "Role", "modifiedProperties": [{"displayName": "RoleDefinitionOriginId", "oldValue": "\"\"", "newValue": "\"62e90394-69f5-4237-9190-012177145e10\""}, {"displayName": "RoleDefinitionOriginType", "oldValue": "\"\"", "newValue": "\"BuiltInRole\""}, {"displayName": "TemplateId", "oldValue": "\"\"", "newValue": "\"62e90394-69f5-4237-9190-012177145e10\""}], "administrativeUnits": []}, {"id": "e4965bfd-5145-473d-aff8-09aa0264b733", "displayName": null, "type": "Request", "modifiedProperties": [], "administrativeUnits": []}, {"id": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "displayName": "User10", "type": "User", "userPrincipalName": "User10@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}, {"id": "fc69e276-e9e8-4af9-9002-1e410d77244e", "displayName": "Default Directory", "type": "Directory", "modifiedProperties": [], "administrativeUnits": []}, {"id": "00000000-0000-0000-0000-000000000001", "displayName": "Azure AD Directory Roles", "type": "Provider", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "RoleDefinitionOriginId", "value": "62e90394-69f5-4237-9190-012177145e10"}, {"key": "RoleDefinitionOriginType", "value": "BuiltInRole"}, {"key": "TemplateId", "value": "62e90394-69f5-4237-9190-012177145e10"}, {"key": "StartTime", "value": "2023-04-26T18:55:55.6955228Z"}, {"key": "oid", "value": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce"}, {"key": "tid", "value": "fc69e276-e9e8-4af9-9002-1e410d77244e"}, {"key": "wids", "value": "62e90394-69f5-4237-9190-012177145e10,b79fbf4d-3ef9-4689-8143-76b194e85509"}, {"key": "ipaddr", "value": "72.1.1.1"}]}}
{"time": "2023-04-26T18:55:21.9298782Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "50072", "resultSignature": "None", "resultDescription": "Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access the tenant.", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "fc13c599-156a-4eee-bc6f-d46444d25d00", "createdDateTime": "2023-04-26T18:55:21.9298782+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 50072, "failureReason": "Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access the tenant.", "additionalDetails": "MFA required in Azure AD"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["MfaRegistration"], "enforcedSessionControls": [], "result": "failure", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "fc13c599-156a-4eee-bc6f-d46444d25d00", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 135, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:55:21.9298782+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 0}, {"authenticationStepDateTime": "2023-04-26T18:55:21.9298782+00:00", "succeeded": false, "authenticationStepResultDetail": "MFA required in Azure AD", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "mfaRegistrationRequiredBySecurityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "mcUT_GoV7k68b9RkRNJdAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:55:16.6637400Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "50072", "resultSignature": "None", "resultDescription": "Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access the tenant.", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "aba7014d-ab59-4310-b336-79bdf6334f00", "createdDateTime": "2023-04-26T18:55:16.66374+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 50072, "failureReason": "Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access the tenant.", "additionalDetails": "MFA required in Azure AD"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["MfaRegistration"], "enforcedSessionControls": [], "result": "failure", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "aba7014d-ab59-4310-b336-79bdf6334f00", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Login Hint Present", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 195, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:55:16.66374+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 0}, {"authenticationStepDateTime": "2023-04-26T18:55:16.66374+00:00", "succeeded": false, "authenticationStepResultDetail": "MFA required in Azure AD", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "request", "detail": "App requires MFA"}, {"requirementProvider": "mfaRegistrationRequiredBySecurityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "TQGnq1mrEEOzNnm99jNPAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:55:05.9813159Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a998a5d8-bbe3-45f4-9426-858d26f67078", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "f51314dc-423a-40a6-926c-a3f8c5e84700", "createdDateTime": "2023-04-26T18:55:05.9813159+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "0000000c-0000-0000-c000-000000000000", "appDisplayName": "Microsoft App Access Panel", "ipAddress": "72.1.1.1", "status": {"errorCode": 0}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "Windows 10", "browser": "Rich Client 5.2.7.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "a998a5d8-bbe3-45f4-9426-858d26f67078", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "f51314dc-423a-40a6-926c-a3f8c5e84700", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"BitlockerKey.Read.All\",\"Device.Read.All\",\"Directory.Read.All\",\"Policy.Read.All\",\"User.Read\",\"UserAuthenticationMethod.ReadWrite\",\"UserAuthenticationMethod.ReadWrite.All\",\"UserAuthenticationMethod-Policy.Read\",\"UserAuthenticationMethod-Policy.Read.All\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 87, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft App Access Panel", "resourceId": "0000000c-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "3BQT9TpCpkCSbKP4xehHAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "b720e1b7-122d-4bc5-92b7-90bfcf5e10ff", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:55:05.7830178Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a998a5d8-bbe3-45f4-9426-858d26f67078", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "53cc9fcc-ff65-47d8-a963-5dfa67fe5a00", "createdDateTime": "2023-04-26T18:55:05.7830178+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "0000000c-0000-0000-c000-000000000000", "appDisplayName": "Microsoft App Access Panel", "ipAddress": "72.1.1.1", "status": {"errorCode": 0}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "Windows 10", "browser": "Rich Client 5.2.7.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "a998a5d8-bbe3-45f4-9426-858d26f67078", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "53cc9fcc-ff65-47d8-a963-5dfa67fe5a00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"BitlockerKey.Read.All\",\"Device.Read.All\",\"Directory.Read.All\",\"Policy.Read.All\",\"User.Read\",\"UserAuthenticationMethod.ReadWrite\",\"UserAuthenticationMethod.ReadWrite.All\",\"UserAuthenticationMethod-Policy.Read\",\"UserAuthenticationMethod-Policy.Read.All\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 134, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "zJ_MU2X_2EepY136Z_5aAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:55:05.4198975Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a998a5d8-bbe3-45f4-9426-858d26f67078", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "fd14567d-3d2b-4f3d-9fcf-7331610a2a00", "createdDateTime": "2023-04-26T18:55:05.4198975+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "0000000c-0000-0000-c000-000000000000", "appDisplayName": "Microsoft App Access Panel", "ipAddress": "72.1.1.1", "status": {"errorCode": 0}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "Windows 10", "browser": "Rich Client 5.2.7.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "a998a5d8-bbe3-45f4-9426-858d26f67078", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "fd14567d-3d2b-4f3d-9fcf-7331610a2a00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"groups.read\",\"groups.write\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 84, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Approval Management", "resourceId": "65d91a3d-ab74-42e6-8a2f-0add61688c74", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "fVYU_Ss9PU-fz3MxYQoqAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "2693d0b3-edba-4866-bc65-02dfb4cf3b66", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:55:05.1601517Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a998a5d8-bbe3-45f4-9426-858d26f67078", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "29bfb44b-53d3-446a-8b8e-76e43c9d5a00", "createdDateTime": "2023-04-26T18:55:05.1601517+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "0000000c-0000-0000-c000-000000000000", "appDisplayName": "Microsoft App Access Panel", "ipAddress": "72.1.1.1", "status": {"errorCode": 0}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "Windows 10", "browser": "Rich Client 5.2.7.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "a998a5d8-bbe3-45f4-9426-858d26f67078", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "29bfb44b-53d3-446a-8b8e-76e43c9d5a00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 100, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft password reset service", "resourceId": "93625bc8-bfe2-437a-97e0-3d0060024faa", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "S7S_KdNTakSLjnbkPJ1aAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "8577c051-38ce-417d-8aed-3d6ae0009a0c", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:55:04.8166687Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a998a5d8-bbe3-45f4-9426-858d26f67078", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "2605e638-931c-4b6c-8364-822ecd043c00", "createdDateTime": "2023-04-26T18:55:04.8166687+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "0000000c-0000-0000-c000-000000000000", "appDisplayName": "Microsoft App Access Panel", "ipAddress": "72.1.1.1", "status": {"errorCode": 0}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "Windows 10", "browser": "Rich Client 5.2.7.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "a998a5d8-bbe3-45f4-9426-858d26f67078", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "2605e638-931c-4b6c-8364-822ecd043c00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 254, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "OOYFJhyTbEuDZIIuzQQ8AA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:54:57.4360553Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "50072", "resultSignature": "None", "resultDescription": "Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access the tenant.", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "be6f6304-7f21-4afa-8b8a-32fff0ed4100", "createdDateTime": "2023-04-26T18:54:57.4360553+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 50072, "failureReason": "Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access the tenant.", "additionalDetails": "MFA required in Azure AD"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["MfaRegistration"], "enforcedSessionControls": [], "result": "failure", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "be6f6304-7f21-4afa-8b8a-32fff0ed4100", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Login Hint Present", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 270, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:54:57.4360553+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 0}, {"authenticationStepDateTime": "2023-04-26T18:54:57.4360553+00:00", "succeeded": false, "authenticationStepResultDetail": "MFA required in Azure AD", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "request", "detail": "App requires MFA"}, {"requirementProvider": "mfaRegistrationRequiredBySecurityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "BGNvviF_-kqLijL_8O1BAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:54:27.2024273Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "6570bee5-a374-4369-98d7-bb844511a3cc", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "e308294c-6841-4cc8-b885-6cdb8d534500", "createdDateTime": "2023-04-26T18:54:27.2024273+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "50aaa389-5a33-4f1a-91d7-2c45ecd8dac8", "appDisplayName": "Microsoft_Azure_PIMCommon", "ipAddress": "72.1.1.1", "status": {"errorCode": 0}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "6570bee5-a374-4369-98d7-bb844511a3cc", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "e308294c-6841-4cc8-b885-6cdb8d534500", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 118, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "IAM Supportability", "resourceId": "a57aca87-cbc0-4f3c-8b9e-dc095fdc8978", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "TCkI40FoyEy4hWzbjVNFAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "592cad50-5996-4875-b604-d21539fa4483", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:54:27.1465554Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "9fde9697-1b77-4ada-9519-9b9f219f9db2", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "fc440435-7a78-4dde-8d83-921d81ea3a00", "createdDateTime": "2023-04-26T18:54:27.1465554+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "50aaa389-5a33-4f1a-91d7-2c45ecd8dac8", "appDisplayName": "Microsoft_Azure_PIMCommon", "ipAddress": "72.1.1.1", "status": {"errorCode": 0}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "9fde9697-1b77-4ada-9519-9b9f219f9db2", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "fc440435-7a78-4dde-8d83-921d81ea3a00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 106, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "MS-PIM", "resourceId": "01fc33a7-78ba-4d2f-a4b7-768e336e890e", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "NQRE_Hh63k2Ng5Idgeo6AA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "26439afb-f5b9-4e51-a821-05b24506b262", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:54:09.6106496Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "08f248e4-b3c7-4afb-bc1a-d4daa17b52a8", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "aeb0e5bc-da97-4e85-a4a7-1859b39d4100", "createdDateTime": "2023-04-26T18:54:09.6106496+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "08f248e4-b3c7-4afb-bc1a-d4daa17b52a8", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "aeb0e5bc-da97-4e85-a4a7-1859b39d4100", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"AccessReview.ReadWrite.All\",\"AuditLog.Read.All\",\"ConsentRequest.ReadWrite.All\",\"Directory.AccessAsUser.All\",\"Directory.Read.All\",\"Directory.ReadWrite.All\",\"email\",\"EntitlementManagement.Read.All\",\"Group.ReadWrite.All\",\"IdentityProvider.ReadWrite.All\",\"IdentityRiskEvent.ReadWrite.All\",\"IdentityUserFlow.Read.All\",\"openid\",\"Policy.Read.All\",\"Policy.ReadWrite.AuthenticationFlows\",\"Policy.ReadWrite.AuthenticationMethod\",\"Policy.ReadWrite.ConditionalAccess\",\"Policy.ReadWrite.MobilityManagement\",\"profile\",\"Reports.Read.All\",\"RoleManagement.ReadWrite.Directory\",\"SecurityEvents.ReadWrite.All\",\"TrustFrameworkKeySet.Read.All\",\"User.Export.All\",\"User.ReadWrite.All\",\"UserAuthenticationMethod.ReadWrite.All\",\"Directory.Write.Restricted\",\"DirectoryRecommendations.Read.All\",\"DirectoryRecommendations.ReadWrite.All\",\"Policy.Read.IdentityProtection\",\"Policy.ReadWrite.ExternalIdentities\",\"Policy.ReadWrite.IdentityProtection\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 192, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "vOWwrpfahU6kpxhZs51BAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:54:09.3145858Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a0d74610-ab02-4663-916c-a6e74e5611c7", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "55e8d056-e4aa-4d85-8251-cbd22dd64400", "createdDateTime": "2023-04-26T18:54:09.3145858+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "a0d74610-ab02-4663-916c-a6e74e5611c7", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "55e8d056-e4aa-4d85-8251-cbd22dd64400", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 122, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "VtDoVarkhU2CUcvSLdZEAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:54:09.3067942Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "ca8f31d1-af60-4229-a663-5db3c27243d5", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "d72bdb4f-b976-4021-be98-2c9224e24100", "createdDateTime": "2023-04-26T18:54:09.3067942+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "ca8f31d1-af60-4229-a663-5db3c27243d5", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "d72bdb4f-b976-4021-be98-2c9224e24100", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 112, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "T9sr13a5IUC-mCySJOJBAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:54:09.1363964Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "dc5b00c0-3680-462f-8222-c8b65fdafbbe", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "53cc9fcc-ff65-47d8-a963-5dfa89f05a00", "createdDateTime": "2023-04-26T18:54:09.1363964+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "dc5b00c0-3680-462f-8222-c8b65fdafbbe", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "53cc9fcc-ff65-47d8-a963-5dfa89f05a00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Is Client Capable", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 51, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "IAM Supportability", "resourceId": "a57aca87-cbc0-4f3c-8b9e-dc095fdc8978", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "zJ_MU2X_2EepY136ifBaAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "592cad50-5996-4875-b604-d21539fa4483", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:54:08.9234021Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "e32ef07d-a1ca-42e3-bd77-42d83949b04d", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "53cc9fcc-ff65-47d8-a963-5dfa7ef05a00", "createdDateTime": "2023-04-26T18:54:08.9234021+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "e32ef07d-a1ca-42e3-bd77-42d83949b04d", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "53cc9fcc-ff65-47d8-a963-5dfa7ef05a00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Is Client Capable", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 71, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "ADIbizaUX", "resourceId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "zJ_MU2X_2EepY136fvBaAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:54:07.2722812Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "76d240af-0ef0-4fa0-ae03-61a2479cdc86", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "7efc6053-1889-42b4-be50-f5f3fc8b5500", "createdDateTime": "2023-04-26T18:54:07.2722812+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "76d240af-0ef0-4fa0-ae03-61a2479cdc86", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "7efc6053-1889-42b4-be50-f5f3fc8b5500", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Is Client Capable", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"AccessReview.ReadWrite.All\",\"AuditLog.Read.All\",\"ConsentRequest.ReadWrite.All\",\"Directory.AccessAsUser.All\",\"Directory.Read.All\",\"Directory.ReadWrite.All\",\"email\",\"EntitlementManagement.Read.All\",\"Group.ReadWrite.All\",\"IdentityProvider.ReadWrite.All\",\"IdentityRiskEvent.ReadWrite.All\",\"IdentityUserFlow.Read.All\",\"openid\",\"Policy.Read.All\",\"Policy.ReadWrite.AuthenticationFlows\",\"Policy.ReadWrite.AuthenticationMethod\",\"Policy.ReadWrite.ConditionalAccess\",\"Policy.ReadWrite.MobilityManagement\",\"profile\",\"Reports.Read.All\",\"RoleManagement.ReadWrite.Directory\",\"SecurityEvents.ReadWrite.All\",\"TrustFrameworkKeySet.Read.All\",\"User.Export.All\",\"User.ReadWrite.All\",\"UserAuthenticationMethod.ReadWrite.All\",\"Directory.Write.Restricted\",\"DirectoryRecommendations.Read.All\",\"DirectoryRecommendations.ReadWrite.All\",\"Policy.Read.IdentityProtection\",\"Policy.ReadWrite.ExternalIdentities\",\"Policy.ReadWrite.IdentityProtection\"]"}, {"key": "Is CAE Token", "value": "True"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 128, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "U2D8fokYtEK-UPXz_ItVAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:54:06.4955620Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "d8045738-e71e-4f66-aa58-5d5505de2b82", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "2da72484-9fec-495b-8391-cd84d8274a00", "createdDateTime": "2023-04-26T18:54:06.495562+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "d8045738-e71e-4f66-aa58-5d5505de2b82", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "2da72484-9fec-495b-8391-cd84d8274a00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Is Client Capable", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 86, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "hCSnLeyfW0mDkc2E2CdKAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:53:41.8818610Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "90c8a768-ae9c-4734-b0c7-291e03f3b050", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "9b915c21-7adf-46a4-9a23-9df485413800", "createdDateTime": "2023-04-26T18:53:41.881861+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "90c8a768-ae9c-4734-b0c7-291e03f3b050", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "9b915c21-7adf-46a4-9a23-9df485413800", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 153, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "IVyRm996pEaaI530hUE4AA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:53:41.5962062Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "e95cb8fe-0fbd-4c09-beec-a08312e41632", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "80465f66-bc40-44b7-b8a9-4dd9255d2f00", "createdDateTime": "2023-04-26T18:53:41.5962062+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "e95cb8fe-0fbd-4c09-beec-a08312e41632", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "80465f66-bc40-44b7-b8a9-4dd9255d2f00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 77, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "Zl9GgEC8t0S4qU3ZJV0vAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:53:41.1065485Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "b90daa9f-0725-449c-80ae-6ee32623a341", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "9db76b2c-0ea4-46a9-b302-11c6795c4100", "createdDateTime": "2023-04-26T18:53:41.1065485+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.46.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "b90daa9f-0725-449c-80ae-6ee32623a341", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "9db76b2c-0ea4-46a9-b302-11c6795c4100", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"email\",\"openid\",\"Organization.Read.All\",\"Policy.ReadWrite.ApplicationConfiguration\",\"profile\",\"User.Read\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 84, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "LGu3naQOqUazAhHGeVxBAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:53:40.5455497Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "f6e082cb-3e65-4da5-bc03-33051586cf16", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "9db76b2c-0ea4-46a9-b302-11c6555c4100", "createdDateTime": "2023-04-26T18:53:40.5455497+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.46.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "f6e082cb-3e65-4da5-bc03-33051586cf16", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "9db76b2c-0ea4-46a9-b302-11c6555c4100", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 150, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "LGu3naQOqUazAhHGVVxBAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:53:40.1183130Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "fc13c599-156a-4eee-bc6f-d4648ac25d00", "createdDateTime": "2023-04-26T18:53:40.118313+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "fc13c599-156a-4eee-bc6f-d4648ac25d00", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 203, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "alternateSignInName": "user10@splunkresearch.com", "signInIdentifier": "user10@splunkresearch.com", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "mcUT_GoV7k68b9RkisJdAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:53:37.8279289Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "50072", "resultSignature": "None", "resultDescription": "Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access the tenant.", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "3f175294-c1d7-4687-a7d3-f8680daf4b00", "createdDateTime": "2023-04-26T18:53:37.8279289+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 50072, "failureReason": "Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access the tenant.", "additionalDetails": "MFA required in Azure AD"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["MfaRegistration"], "enforcedSessionControls": [], "result": "failure", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "3f175294-c1d7-4687-a7d3-f8680daf4b00", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 191, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:53:37.8279289+00:00", "succeeded": false, "authenticationStepResultDetail": "MFA required in Azure AD", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "mfaRegistrationRequiredBySecurityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "alternateSignInName": "user10@splunkresearch.com", "signInIdentifier": "user10@splunkresearch.com", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "lFIXP9fBh0an0_hoDa9LAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:53:36.4460664Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Change password (self-service)", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "resultDescription": "None", "durationMs": 0, "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "Level": 4, "properties": {"id": "SSPR_a05afc92-04ce-4582-9dc8-ecb67464c425_BNATB_20838888", "category": "UserManagement", "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "result": "success", "resultReason": "None", "activityDisplayName": "Change password (self-service)", "activityDateTime": "2023-04-26T18:53:36.4460664+00:00", "loggedByService": "Self-service Password Management", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "displayName": null, "userPrincipalName": "User10@splunkresearch.com", "ipAddress": "", "roles": []}}, "targetResources": [{"id": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "displayName": "User10", "type": "User", "userPrincipalName": "User10@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "OnPremisesAgent", "value": "None"}]}}
{"time": "2023-04-26T18:53:36.4418113Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Update StsRefreshTokenValidFrom Timestamp", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "69e83a01-7b0c-4baa-94e9-09114efb7ac1", "Level": 4, "properties": {"id": "Directory_69e83a01-7b0c-4baa-94e9-09114efb7ac1_UFTJR_85874971", "category": "UserManagement", "correlationId": "69e83a01-7b0c-4baa-94e9-09114efb7ac1", "result": "success", "resultReason": "", "activityDisplayName": "Update StsRefreshTokenValidFrom Timestamp", "activityDateTime": "2023-04-26T18:53:36.4418113+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "displayName": null, "userPrincipalName": "User10@splunkresearch.com", "ipAddress": "", "roles": []}}, "targetResources": [{"id": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "displayName": null, "type": "User", "userPrincipalName": "User10@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": []}}
{"time": "2023-04-26T18:53:36.4408132Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Change user password", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "69e83a01-7b0c-4baa-94e9-09114efb7ac1", "Level": 4, "properties": {"id": "Directory_69e83a01-7b0c-4baa-94e9-09114efb7ac1_UFTJR_85874963", "category": "UserManagement", "correlationId": "69e83a01-7b0c-4baa-94e9-09114efb7ac1", "result": "success", "resultReason": "", "activityDisplayName": "Change user password", "activityDateTime": "2023-04-26T18:53:36.4408132+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "displayName": null, "userPrincipalName": "User10@splunkresearch.com", "ipAddress": "", "roles": []}}, "targetResources": [{"id": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "displayName": null, "type": "User", "userPrincipalName": "User10@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": []}}
{"time": "2023-04-26T18:53:28.2694154Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "50055", "resultSignature": "None", "resultDescription": "Invalid password, entered expired password.", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "d8d14be1-efc5-4306-8202-bc7b192e4700", "createdDateTime": "2023-04-26T18:53:28.2694154+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 50055, "failureReason": "Invalid password, entered expired password."}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["MfaRegistration"], "enforcedSessionControls": [], "result": "failure", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "d8d14be1-efc5-4306-8202-bc7b192e4700", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 256, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:53:28.2694154+00:00", "authenticationMethod": "Password", "authenticationMethodDetail": "Password in the cloud", "succeeded": true, "authenticationStepResultDetail": "Correct password", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 1}], "authenticationRequirementPolicies": [{"requirementProvider": "mfaRegistrationRequiredBySecurityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "alternateSignInName": "user10@splunkresearch.com", "signInIdentifier": "user10@splunkresearch.com", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "4UvR2MXvBkOCArx7GS5HAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:58.0976152Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Change password (self-service)", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "resultDescription": "UserIncorrectPassword", "durationMs": 0, "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "Level": 4, "properties": {"id": "SSPR_a05afc92-04ce-4582-9dc8-ecb67464c425_9IY6H_14466471", "category": "UserManagement", "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "result": "failure", "resultReason": "UserIncorrectPassword", "activityDisplayName": "Change password (self-service)", "activityDateTime": "2023-04-26T18:52:58.0976152+00:00", "loggedByService": "Self-service Password Management", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "displayName": null, "userPrincipalName": "User10@splunkresearch.com", "ipAddress": "", "roles": []}}, "targetResources": [{"id": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "displayName": "User10", "type": "User", "userPrincipalName": "User10@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "ErrorMessage", "value": "Current password is invalid"}, {"key": "OnPremisesAgent", "value": "None"}]}}
{"time": "2023-04-26T18:52:58.0886204Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Update StsRefreshTokenValidFrom Timestamp", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "resultDescription": "Microsoft.Online.Workflows.IncorrectPasswordException", "durationMs": 0, "correlationId": "a21d6af5-f515-4fe9-a295-c64bbc7f6853", "Level": 4, "properties": {"id": "Directory_a21d6af5-f515-4fe9-a295-c64bbc7f6853_HANFT_182509539", "category": "UserManagement", "correlationId": "a21d6af5-f515-4fe9-a295-c64bbc7f6853", "result": "failure", "resultReason": "Microsoft.Online.Workflows.IncorrectPasswordException", "activityDisplayName": "Update StsRefreshTokenValidFrom Timestamp", "activityDateTime": "2023-04-26T18:52:58.0886204+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "displayName": null, "userPrincipalName": "User10@splunkresearch.com", "ipAddress": "", "roles": []}}, "targetResources": [{"id": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "displayName": null, "type": "User", "userPrincipalName": "User10@splunkresearch.com", "modifiedProperties": [{"displayName": "MethodExecutionResult.", "oldValue": null, "newValue": "\"Microsoft.Online.Workflows.IncorrectPasswordException\""}], "administrativeUnits": []}], "additionalDetails": []}}
{"time": "2023-04-26T18:52:58.0876177Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Change user password", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "resultDescription": "Microsoft.Online.Workflows.IncorrectPasswordException", "durationMs": 0, "correlationId": "a21d6af5-f515-4fe9-a295-c64bbc7f6853", "Level": 4, "properties": {"id": "Directory_a21d6af5-f515-4fe9-a295-c64bbc7f6853_HANFT_182509531", "category": "UserManagement", "correlationId": "a21d6af5-f515-4fe9-a295-c64bbc7f6853", "result": "failure", "resultReason": "Microsoft.Online.Workflows.IncorrectPasswordException", "activityDisplayName": "Change user password", "activityDateTime": "2023-04-26T18:52:58.0876177+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "displayName": null, "userPrincipalName": "User10@splunkresearch.com", "ipAddress": "", "roles": []}}, "targetResources": [{"id": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "displayName": null, "type": "User", "userPrincipalName": "User10@splunkresearch.com", "modifiedProperties": [{"displayName": "MethodExecutionResult.", "oldValue": null, "newValue": "\"Microsoft.Online.Workflows.IncorrectPasswordException\""}], "administrativeUnits": []}], "additionalDetails": []}}
{"time": "2023-04-26T18:52:47.0001588Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "50055", "resultSignature": "None", "resultDescription": "Invalid password, entered expired password.", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "identity": "User10", "Level": 4, "location": "US", "properties": {"id": "469eda2e-4816-49bb-9906-3e2cfccb4e00", "createdDateTime": "2023-04-26T18:52:47.0001588+00:00", "userDisplayName": "User10", "userPrincipalName": "user10@splunkresearch.com", "userId": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 50055, "failureReason": "Invalid password, entered expired password."}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["MfaRegistration"], "enforcedSessionControls": [], "result": "failure", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "469eda2e-4816-49bb-9906-3e2cfccb4e00", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 218, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:47.0001588+00:00", "authenticationMethod": "Password", "authenticationMethodDetail": "Password in the cloud", "succeeded": true, "authenticationStepResultDetail": "Correct password", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 1}], "authenticationRequirementPolicies": [{"requirementProvider": "mfaRegistrationRequiredBySecurityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "alternateSignInName": "user10@splunkresearch.com", "signInIdentifier": "user10@splunkresearch.com", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "LtqeRhZIu0mZBj4s_MtOAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:40.2186780Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Reset password (by admin)", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "resultDescription": "None", "durationMs": 0, "callerIpAddress": "52.177.250.168", "correlationId": "a596f009-b95a-434b-9d57-151d71a9d00d", "Level": 4, "properties": {"id": "SSPR_a596f009-b95a-434b-9d57-151d71a9d00d_Y128V_19391441", "category": "UserManagement", "correlationId": "a596f009-b95a-434b-9d57-151d71a9d00d", "result": "success", "resultReason": "None", "activityDisplayName": "Reset password (by admin)", "activityDateTime": "2023-04-26T18:52:40.218678+00:00", "loggedByService": "Self-service Password Management", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": null, "userPrincipalName": "strt_admin@splunkresearch.com", "ipAddress": "52.177.250.168", "roles": []}}, "targetResources": [{"id": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "displayName": "User10", "type": "User", "userPrincipalName": "User10@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "OnPremisesAgent", "value": "None"}]}}
{"time": "2023-04-26T18:52:40.2107837Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Update StsRefreshTokenValidFrom Timestamp", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "40970a58-f760-4c92-92f5-cef80162bb25", "Level": 4, "properties": {"id": "Directory_40970a58-f760-4c92-92f5-cef80162bb25_ZK7DS_77460575", "category": "UserManagement", "correlationId": "40970a58-f760-4c92-92f5-cef80162bb25", "result": "success", "resultReason": "", "activityDisplayName": "Update StsRefreshTokenValidFrom Timestamp", "activityDateTime": "2023-04-26T18:52:40.2107837+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "00000000-0000-0000-0000-000000000000", "displayName": null, "userPrincipalName": "fim_password_service@support.onmicrosoft.com", "ipAddress": "", "roles": []}}, "targetResources": [{"id": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "displayName": null, "type": "User", "userPrincipalName": "User10@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": []}}
{"time": "2023-04-26T18:52:40.2047614Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Reset user password", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "40970a58-f760-4c92-92f5-cef80162bb25", "Level": 4, "properties": {"id": "Directory_40970a58-f760-4c92-92f5-cef80162bb25_ZK7DS_77460563", "category": "UserManagement", "correlationId": "40970a58-f760-4c92-92f5-cef80162bb25", "result": "success", "resultReason": "", "activityDisplayName": "Reset user password", "activityDateTime": "2023-04-26T18:52:40.2047614+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "00000000-0000-0000-0000-000000000000", "displayName": null, "userPrincipalName": "fim_password_service@support.onmicrosoft.com", "ipAddress": "", "roles": []}}, "targetResources": [{"id": "6e2b3c4b-215f-4fb2-a578-28ba995abd1b", "displayName": null, "type": "User", "userPrincipalName": "User10@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": []}}
{"time": "2023-04-26T18:52:39.7586786Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a596f009-b95a-434b-9d57-151d71a9d00d", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "b4c21d14-c743-46b7-93de-6c4281c93c00", "createdDateTime": "2023-04-26T18:52:39.7586786+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "93625bc8-bfe2-437a-97e0-3d0060024faa", "appDisplayName": "Microsoft password reset service", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.31.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "a596f009-b95a-434b-9d57-151d71a9d00d", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "b4c21d14-c743-46b7-93de-6c4281c93c00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 207, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "FB3CtEPHt0aT3mxCgck8AA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:38.6779617Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "b4df0b24-eaab-420c-a321-e3d9d1395b09", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "efb45137-b3a2-4c42-bd81-597f53a86100", "createdDateTime": "2023-04-26T18:52:38.6779617+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "b4df0b24-eaab-420c-a321-e3d9d1395b09", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "efb45137-b3a2-4c42-bd81-597f53a86100", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 81, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft password reset service", "resourceId": "93625bc8-bfe2-437a-97e0-3d0060024faa", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "N1G076KzQky9gVl_U6hhAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "8577c051-38ce-417d-8aed-3d6ae0009a0c", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:24.6413284Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a596f009-b95a-434b-9d57-151d71a9d00a", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "64d76a13-2161-47b2-b8eb-4825aacf4100", "createdDateTime": "2023-04-26T18:52:24.6413284+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "93625bc8-bfe2-437a-97e0-3d0060024faa", "appDisplayName": "Microsoft password reset service", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.31.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "a596f009-b95a-434b-9d57-151d71a9d00a", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "64d76a13-2161-47b2-b8eb-4825aacf4100", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 185, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "E2rXZGEhske460glqs9BAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:22.9872207Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "8e80f3a5-0288-45a1-8e80-efc9717076a1", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "609cacd9-9565-4b6c-94b2-bbd54dea5500", "createdDateTime": "2023-04-26T18:52:22.9872207+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "8e80f3a5-0288-45a1-8e80-efc9717076a1", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "609cacd9-9565-4b6c-94b2-bbd54dea5500", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 95, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft password reset service", "resourceId": "93625bc8-bfe2-437a-97e0-3d0060024faa", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "2aycYGWVbEuUsrvVTepVAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "8577c051-38ce-417d-8aed-3d6ae0009a0c", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:10.8197798Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "d054bb09-8976-4c2d-9673-b2b89ee62288", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "fc440435-7a78-4dde-8d83-921d72d23a00", "createdDateTime": "2023-04-26T18:52:10.8197798+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "d054bb09-8976-4c2d-9673-b2b89ee62288", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "fc440435-7a78-4dde-8d83-921d72d23a00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 59, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:10.8197798+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "NQRE_Hh63k2Ng5IdctI6AA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:10.2278879Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "5da665b9-e1b7-4a37-8335-7e806a2d1c49", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "80465f66-bc40-44b7-b8a9-4dd928512f00", "createdDateTime": "2023-04-26T18:52:10.2278879+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "5da665b9-e1b7-4a37-8335-7e806a2d1c49", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "80465f66-bc40-44b7-b8a9-4dd928512f00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 130, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:10.2278879+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "Zl9GgEC8t0S4qU3ZKFEvAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:09.4263854Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "8924cdb0-d137-4aa4-a400-57fcddd733a8", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "d7160d28-bc2e-41a9-a0bb-a741c6ef3400", "createdDateTime": "2023-04-26T18:52:09.4263854+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.46.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "8924cdb0-d137-4aa4-a400-57fcddd733a8", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "d7160d28-bc2e-41a9-a0bb-a741c6ef3400", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"email\",\"openid\",\"Organization.Read.All\",\"Policy.ReadWrite.ApplicationConfiguration\",\"profile\",\"User.Read\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 77, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:09.4263854+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "KA0W1y68qUGgu6dBxu80AA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:08.3564482Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a17d65a7-97a6-4814-95a6-ae5b912c323b", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "08b49618-013c-4bc9-a4d1-316c5e4b5900", "createdDateTime": "2023-04-26T18:52:08.3564482+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.46.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "a17d65a7-97a6-4814-95a6-ae5b912c323b", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "08b49618-013c-4bc9-a4d1-316c5e4b5900", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 129, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:08.3564482+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "GJa0CDwByUuk0TFsXktZAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:08.0988930Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "43315595-1afc-439d-a57f-b38a82374100", "createdDateTime": "2023-04-26T18:52:08.098893+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "a05afc92-04ce-4582-9dc8-ecb67464c425", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "43315595-1afc-439d-a57f-b38a82374100", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 242, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:08.098893+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 0}, {"authenticationStepDateTime": "2023-04-26T18:52:08.098893+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}, {"requirementProvider": "securityDefaults", "detail": "Security Defaults"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "lVUxQ_wanUOlf7OKgjdBAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:02.8920990Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "9ef6e38f-4376-4f1c-9cd8-6e87db722f45", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "b0f40146-802d-4464-9a59-0bad767c4600", "createdDateTime": "2023-04-26T18:52:02.892099+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "2793995e-0a7d-40d7-bd35-6968ba142197", "appDisplayName": "My Apps", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.50.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "9ef6e38f-4376-4f1c-9cd8-6e87db722f45", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "b0f40146-802d-4464-9a59-0bad767c4600", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"Application.ReadWrite.All\",\"Directory.Read.All\",\"email\",\"openid\",\"profile\",\"User.Read\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 93, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:02.892099+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "RgH0sC2AZESaWQutdnxGAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:02.3540906Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "c9d41f69-86cd-4f5b-a33f-96c2d2a94a5e", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "b0f40146-802d-4464-9a59-0bad527c4600", "createdDateTime": "2023-04-26T18:52:02.3540906+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "2793995e-0a7d-40d7-bd35-6968ba142197", "appDisplayName": "My Apps", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.50.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "c9d41f69-86cd-4f5b-a33f-96c2d2a94a5e", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "b0f40146-802d-4464-9a59-0bad527c4600", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 124, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:02.3540906+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "RgH0sC2AZESaWQutUnxGAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:02.1260726Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "78f375c1-da78-4a93-8bf7-ebeba357daaa", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "f6abdda7-ce83-4af3-a263-f48e8e2c3300", "createdDateTime": "2023-04-26T18:52:02.1260726+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "5f09333a-842c-47da-a157-57da27fcbca5", "appDisplayName": "Office365 Shell WCSS-Server", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.49.1.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "78f375c1-da78-4a93-8bf7-ebeba357daaa", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "f6abdda7-ce83-4af3-a263-f48e8e2c3300", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"workspace.read\",\"workspace.write\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 126, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "My Apps", "resourceId": "2793995e-0a7d-40d7-bd35-6968ba142197", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:02.1260726+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "p92r9oPO80qiY_SOjiwzAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "851d7272-24cc-4414-8a01-4a0610762b78", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:02.1149121Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "78f375c1-da78-4a93-8bf7-ebeba357daaa", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "ad20d5c0-5918-445f-982b-f7eb4c595000", "createdDateTime": "2023-04-26T18:52:02.1149121+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "5f09333a-842c-47da-a157-57da27fcbca5", "appDisplayName": "Office365 Shell WCSS-Server", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.49.1.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "78f375c1-da78-4a93-8bf7-ebeba357daaa", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "ad20d5c0-5918-445f-982b-f7eb4c595000", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 114, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "PowerApps Service", "resourceId": "475226c6-020e-4fb2-8a90-7a972cbfc1d4", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:02.1149121+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "wNUgrRhZX0SYK_frTFlQAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "dd672f15-32e7-4f97-949d-2cc69856895d", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:01.8050053Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "e998ceda-72e5-482c-a829-3cac37dac47c", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "fc440435-7a78-4dde-8d83-921de1d03a00", "createdDateTime": "2023-04-26T18:52:01.8050053+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "appDisplayName": "Office365 Shell WCSS-Client", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "e998ceda-72e5-482c-a829-3cac37dac47c", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "fc440435-7a78-4dde-8d83-921de1d03a00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"email\",\"Files.ReadWrite\",\"openid\",\"profile\",\"User.ReadWrite\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 121, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:01.8050053+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "NQRE_Hh63k2Ng5Id4dA6AA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:01.7907283Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "763217a2-9c84-4eb2-9f8b-8012f31de88d", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "c026c7d4-ecd1-41f1-98f1-052954af5100", "createdDateTime": "2023-04-26T18:52:01.7907283+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "appDisplayName": "Office365 Shell WCSS-Client", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "763217a2-9c84-4eb2-9f8b-8012f31de88d", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "c026c7d4-ecd1-41f1-98f1-052954af5100", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"ShellSettings.Read\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 95, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office365 Shell WCSS-Server", "resourceId": "5f09333a-842c-47da-a157-57da27fcbca5", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:01.7907283+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "1McmwNHs8UGY8QUpVK9RAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:01.7605751Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "345d34e3-3c81-4953-8356-3c8feb06944f", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "1d86a30e-3469-4aab-a8e4-77d331f75300", "createdDateTime": "2023-04-26T18:52:01.7605751+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "appDisplayName": "Office365 Shell WCSS-Client", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "345d34e3-3c81-4953-8356-3c8feb06944f", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "1d86a30e-3469-4aab-a8e4-77d331f75300", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"email\",\"Files.ReadWrite\",\"openid\",\"profile\",\"User.ReadWrite\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 101, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:01.7605751+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "DqOGHWk0q0qo5HfTMfdTAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:01.1339655Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "5f2e847a-c20d-4054-9943-b9b4b16222a3", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "69559da2-fa0e-41b8-98bb-5b19ca444200", "createdDateTime": "2023-04-26T18:52:01.1339655+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "00000006-0000-0ff1-ce00-000000000000", "appDisplayName": "Microsoft Office 365 Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.49.1.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "5f2e847a-c20d-4054-9943-b9b4b16222a3", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "69559da2-fa0e-41b8-98bb-5b19ca444200", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 107, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office MRO Device Manager Service", "resourceId": "ebe0c285-db95-403f-a1a3-a793bd6d7767", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:01.1339655+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "op1VaQ76uEGYu1sZykRCAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:00.8700962Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add service principal", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "162b831a-128c-4deb-96df-929a5d6ac391", "identity": "Microsoft Azure AD Internal - Jit Provisioning", "Level": 4, "properties": {"id": "Directory_162b831a-128c-4deb-96df-929a5d6ac391_JEWMQ_91554286", "category": "ApplicationManagement", "correlationId": "162b831a-128c-4deb-96df-929a5d6ac391", "result": "success", "resultReason": "", "activityDisplayName": "Add service principal", "activityDateTime": "2023-04-26T18:52:00.8700962+00:00", "loggedByService": "Core Directory", "operationType": "Add", "userAgent": null, "initiatedBy": {}, "targetResources": [{"id": "d2f01332-512a-47e8-802b-760e34defac1", "displayName": "Microsoft Workplace Search Service", "type": "ServicePrincipal", "modifiedProperties": [{"displayName": "AccountEnabled", "oldValue": "[]", "newValue": "[true]"}, {"displayName": "AppAddress", "oldValue": "[]", "newValue": "[{\"AddressType\":4,\"Address\":\"https://thor.aesir.office.com/\",\"ReplyAddressClientType\":0,\"ReplyAddressIndex\":null,\"IsReplyAddressDefault\":false}]"}, {"displayName": "AppPrincipalId", "oldValue": "[]", "newValue": "[\"f3a218b7-5c8f-460b-93af-56b072788c15\"]"}, {"displayName": "DisplayName", "oldValue": "[]", "newValue": "[\"Microsoft Workplace Search Service\"]"}, {"displayName": "ServicePrincipalName", "oldValue": "[]", "newValue": "[\"https://df.thor.aesir.office.com\",\"https://thor.aesir.office.com/\",\"f3a218b7-5c8f-460b-93af-56b072788c15\"]"}, {"displayName": "Credential", "oldValue": "[]", "newValue": "[{\"CredentialType\":2,\"KeyStoreId\":\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\"KeyGroupId\":\"e8fde120-a931-41f4-b8b3-b9e13f397c57\"}]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"AccountEnabled, AppAddress, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\""}, {"displayName": "TargetId.ServicePrincipalNames", "oldValue": null, "newValue": "\"https://df.thor.aesir.office.com;https://thor.aesir.office.com/;f3a218b7-5c8f-460b-93af-56b072788c15\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "AppId", "value": "f3a218b7-5c8f-460b-93af-56b072788c15"}]}}
{"time": "2023-04-26T18:52:00.8331578Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "b119d4d8-42b7-42ec-b314-48c7338ad92b", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "077fdb57-eb72-46ad-ba13-1c8e3cff4200", "createdDateTime": "2023-04-26T18:52:00.8331578+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "00000006-0000-0ff1-ce00-000000000000", "appDisplayName": "Microsoft Office 365 Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.49.1.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "b119d4d8-42b7-42ec-b314-48c7338ad92b", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "077fdb57-eb72-46ad-ba13-1c8e3cff4200", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 126, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:00.8331578+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "V9t_B3LrrUa6ExyOPP9CAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:00.6694716Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "9cd57939-8191-4119-9e55-02827b368ac9", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "a6028b8d-6a0f-4064-bec3-e481e6b14000", "createdDateTime": "2023-04-26T18:52:00.6694716+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "appDisplayName": "Office365 Shell WCSS-Client", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "9cd57939-8191-4119-9e55-02827b368ac9", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "a6028b8d-6a0f-4064-bec3-e481e6b14000", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Login Hint Present", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 80, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:00.6694716+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 0}, {"authenticationStepDateTime": "2023-04-26T18:52:00.6694716+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "jYsCpg9qZEC-w-SB5rFAAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:00.6382939Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "79329119-fac7-42e2-bb20-af2ffd7586cc", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "02b2428a-fed9-494f-8a8c-332b20b74500", "createdDateTime": "2023-04-26T18:52:00.6382939+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "appDisplayName": "Office365 Shell WCSS-Client", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "79329119-fac7-42e2-bb20-af2ffd7586cc", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "02b2428a-fed9-494f-8a8c-332b20b74500", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Login Hint Present", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 86, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office365 Shell WCSS-Server", "resourceId": "5f09333a-842c-47da-a157-57da27fcbca5", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:00.6382939+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 0}, {"authenticationStepDateTime": "2023-04-26T18:52:00.6382939+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "ikKyAtn-T0mKjDMrILdFAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:00.6062443Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "18e3583b-12b5-4a07-92a0-d7bf17c53268", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "5beb10e3-2234-4544-93f1-a680292a6000", "createdDateTime": "2023-04-26T18:52:00.6062443+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "00000006-0000-0ff1-ce00-000000000000", "appDisplayName": "Microsoft Office 365 Portal", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.49.1.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "18e3583b-12b5-4a07-92a0-d7bf17c53268", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "5beb10e3-2234-4544-93f1-a680292a6000", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 90, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:00.6062443+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "4xDrWzQiREWT8aaAKSpgAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:00.6048940Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "e7153cc1-cf2b-4d96-a415-c36a5f7a6117", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "0d2f2ccd-261f-45c1-936e-842859434000", "createdDateTime": "2023-04-26T18:52:00.604894+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "appDisplayName": "Office365 Shell WCSS-Client", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "e7153cc1-cf2b-4d96-a415-c36a5f7a6117", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "0d2f2ccd-261f-45c1-936e-842859434000", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Login Hint Present", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 110, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:00.604894+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 0}, {"authenticationStepDateTime": "2023-04-26T18:52:00.604894+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "zSwvDR8mwUWTboQoWUNAAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:00.3383024Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "93a09adc-00d8-40ac-993c-c3c64776a098", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "41566abd-e178-4e4e-9f9c-dff9cd454300", "createdDateTime": "2023-04-26T18:52:00.3383024+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "4765445b-32c6-49b0-83e6-1d93765276ca", "appDisplayName": "OfficeHome", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.49.1.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "93a09adc-00d8-40ac-993c-c3c64776a098", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "41566abd-e178-4e4e-9f9c-dff9cd454300", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"User.Read.All\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 99, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Workplace Search Service", "resourceId": "f3a218b7-5c8f-460b-93af-56b072788c15", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:00.3383024+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "vWpWQXjhTk6fnN_5zUVDAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:52:00.0387931Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "aa985d28-ff51-457a-8d5a-6394b547384e", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "a9ac7a6c-b8fb-42d4-9140-098ae7d56000", "createdDateTime": "2023-04-26T18:52:00.0387931+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "4765445b-32c6-49b0-83e6-1d93765276ca", "appDisplayName": "OfficeHome", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.49.1.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "aa985d28-ff51-457a-8d5a-6394b547384e", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "a9ac7a6c-b8fb-42d4-9140-098ae7d56000", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"PushChannel.ReadWrite.All\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 97, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "PushChannel", "resourceId": "4747d38e-36c5-4bc3-979b-b0ef74df54d1", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:52:00.0387931+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "bHqsqfu41EKRQAmK59VgAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "65236e61-19ab-4422-b839-260161afe380", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:51:59.3805518Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "a00bcbe2-c6f4-45a1-9b09-c4f63f1f03db", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "89a73fb3-afef-4ea5-bee2-dd23d8c73c00", "createdDateTime": "2023-04-26T18:51:59.3805518+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "4765445b-32c6-49b0-83e6-1d93765276ca", "appDisplayName": "OfficeHome", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.49.1.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "a00bcbe2-c6f4-45a1-9b09-c4f63f1f03db", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "89a73fb3-afef-4ea5-bee2-dd23d8c73c00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"OfficeHome.All\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 103, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "O365 Suite UX", "resourceId": "4345a7b9-9a63-4910-a426-35363201d503", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:51:59.3805518+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "sz-nie-vpU6-4t0j2Mc8AA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:51:59.0419373Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "5ab97412-5a4a-4f0a-937a-1c8a443bedae", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "7b180eb6-1fcf-41f3-80ce-93e684664600", "createdDateTime": "2023-04-26T18:51:59.0419373+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "e8be65d6-d430-4289-a665-51bf2a194bda", "appDisplayName": "Microsoft 365 App Catalog Services", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.48.1.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "5ab97412-5a4a-4f0a-937a-1c8a443bedae", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "7b180eb6-1fcf-41f3-80ce-93e684664600", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"Region.ReadWrite\",\"Apps.Read\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 141, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Teams Services", "resourceId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:51:59.0419373+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "tg4Ye88f80GAzpPmhGZGAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "452f8cff-a0bf-4fe5-9c50-cbc9e7f5f1ad", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:51:58.7936948Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "4ae83131-97f8-43ee-a488-b61db11e14ad", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "6a7ea2a5-1c98-487e-a0c3-057e4d236a00", "createdDateTime": "2023-04-26T18:51:58.7936948+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "e8be65d6-d430-4289-a665-51bf2a194bda", "appDisplayName": "Microsoft 365 App Catalog Services", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.48.1.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "4ae83131-97f8-43ee-a488-b61db11e14ad", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "6a7ea2a5-1c98-487e-a0c3-057e4d236a00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"Region.ReadWrite\",\"Apps.Read\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 108, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Teams Services", "resourceId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:51:58.7936948+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "paJ-apgcfkigwwV-TSNqAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "452f8cff-a0bf-4fe5-9c50-cbc9e7f5f1ad", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:51:58.7051168Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "f051f2a0-8081-4162-a7eb-ab60a48fce8d", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "e3982b6c-38be-4cd2-9e32-5929cd0a3a00", "createdDateTime": "2023-04-26T18:51:58.7051168+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "4765445b-32c6-49b0-83e6-1d93765276ca", "appDisplayName": "OfficeHome", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.49.1.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "f051f2a0-8081-4162-a7eb-ab60a48fce8d", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "e3982b6c-38be-4cd2-9e32-5929cd0a3a00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"Files.ReadWrite.All\",\"Sites.FullControl.All\",\"User.Read.All\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 121, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 SharePoint Online", "resourceId": "00000003-0000-0ff1-ce00-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:51:58.7051168+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "bCuY47440kyeMlkpzQo6AA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "0cb8b6f5-232b-4481-a8d3-d008394c12a3", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:51:58.6788781Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "ed9c0ced-17f1-40ae-a3a7-4c6eeae386fa", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "6e0d1132-bd98-4e62-a744-5bbbffec4000", "createdDateTime": "2023-04-26T18:51:58.6788781+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "4765445b-32c6-49b0-83e6-1d93765276ca", "appDisplayName": "OfficeHome", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.49.1.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "ed9c0ced-17f1-40ae-a3a7-4c6eeae386fa", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "6e0d1132-bd98-4e62-a744-5bbbffec4000", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"Files.ReadWrite.All\",\"Sites.FullControl.All\",\"User.Read.All\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 129, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 SharePoint Online", "resourceId": "00000003-0000-0ff1-ce00-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:51:58.6788781+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "MhENbpi9Yk6nRFu7_-xAAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "0cb8b6f5-232b-4481-a8d3-d008394c12a3", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:51:58.4835829Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "73b81cba-b423-4038-8109-e04f68684079", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "f754af74-c393-4f65-8cf0-13f5c2d23000", "createdDateTime": "2023-04-26T18:51:58.4835829+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "4765445b-32c6-49b0-83e6-1d93765276ca", "appDisplayName": "OfficeHome", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.49.1.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "73b81cba-b423-4038-8109-e04f68684079", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "f754af74-c393-4f65-8cf0-13f5c2d23000", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"User.Read.All\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 152, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft People Cards Service", "resourceId": "394866fc-eedb-4f01-8536-3ff84b16be2a", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:51:58.4835829+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "dK9U95PDZU-M8BP1wtIwAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "fc9da6dd-d82b-42bd-8685-f3f6006828cc", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:51:58.4599543Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "727f3a2e-e891-43cb-acc8-9f204202c5ea", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "982c4692-f15f-40a8-a798-10ca7ac94500", "createdDateTime": "2023-04-26T18:51:58.4599543+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "4765445b-32c6-49b0-83e6-1d93765276ca", "appDisplayName": "OfficeHome", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.49.1.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "727f3a2e-e891-43cb-acc8-9f204202c5ea", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "982c4692-f15f-40a8-a798-10ca7ac94500", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"email\",\"Files.ReadWrite.All\",\"InformationProtectionPolicy.Read\",\"Notes.Create\",\"openid\",\"People.Read\",\"Presence.Read.All\",\"profile\",\"Sites.Read.All\",\"Tasks.ReadWrite\",\"User.Read\",\"User.ReadBasic.All\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 134, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:51:58.4599543+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "kkYsmF_xqECnmBDKeslFAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:51:58.4504929Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "6003d6a6-604c-4598-b39b-d5cbaa648d6d", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "95124854-f522-4981-ac31-6ef2541c4500", "createdDateTime": "2023-04-26T18:51:58.4504929+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "4765445b-32c6-49b0-83e6-1d93765276ca", "appDisplayName": "OfficeHome", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.49.1.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "6003d6a6-604c-4598-b39b-d5cbaa648d6d", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "95124854-f522-4981-ac31-6ef2541c4500", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"User.Read\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 148, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Office 365 Portal", "resourceId": "00000006-0000-0ff1-ce00-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:51:58.4504929+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "VEgSlSL1gUmsMW7yVBxFAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "79a4eaf1-dfc5-4e45-967c-23a579c6eb57", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:51:58.4486182Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "7b1d8f62-3933-4f9e-ba9e-aead9def55c2", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "a9f1b24f-4dad-4132-b31e-a166de4f4300", "createdDateTime": "2023-04-26T18:51:58.4486182+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "4765445b-32c6-49b0-83e6-1d93765276ca", "appDisplayName": "OfficeHome", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.49.1.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "7b1d8f62-3933-4f9e-ba9e-aead9def55c2", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "a9f1b24f-4dad-4132-b31e-a166de4f4300", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"Title.ReadWrite\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 137, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft 365 App Catalog Services", "resourceId": "e8be65d6-d430-4289-a665-51bf2a194bda", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:51:58.4486182+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "T7Lxqa1NMkGzHqFm3k9DAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:51:58.4484706Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "ef05a71f-70ac-4288-b781-91512cdfccb9", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "2605e638-931c-4b6c-8364-822e96df3b00", "createdDateTime": "2023-04-26T18:51:58.4484706+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "4765445b-32c6-49b0-83e6-1d93765276ca", "appDisplayName": "OfficeHome", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.49.1.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "ef05a71f-70ac-4288-b781-91512cdfccb9", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "2605e638-931c-4b6c-8364-822e96df3b00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"ActivityFeed-Internal.ReadWrite\",\"Files.Read\",\"Files.ReadWrite\",\"Group.ReadWrite.All\",\"Notes.ReadWrite\",\"OfficeFeed-Internal.ReadWrite\",\"PeoplePredictions-Internal.Read\",\"RoamingUserSettings.ReadWrite\",\"SubstrateSearch-Internal.ReadWrite\",\"Files.ReadWrite.Shared\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 119, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Microservices", "resourceId": "ec156f81-f23a-47bd-b16f-9fb2c66420f9", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:51:58.4484706+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "OOYFJhyTbEuDZIIult87AA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:51:58.3987545Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "75cd06da-e235-4035-bff9-3e7f4f164010", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "ab5dfaa8-c2c5-4111-bf3f-3e9521954800", "createdDateTime": "2023-04-26T18:51:58.3987545+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "4765445b-32c6-49b0-83e6-1d93765276ca", "appDisplayName": "OfficeHome", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.49.1.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "75cd06da-e235-4035-bff9-3e7f4f164010", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "ab5dfaa8-c2c5-4111-bf3f-3e9521954800", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"SubstrateSearch-Internal.ReadWrite\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 76, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Search Service", "resourceId": "66a88757-258c-4c72-893c-3e8bed4d6899", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:51:58.3987545+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "qPpdq8XCEUG_Pz6VIZVIAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "e9f19d1a-f674-4639-a76a-e5ebefb75e5a", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:51:58.1043000Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "0c04835d-298c-499d-8be0-cbc88fc59544", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "aba7014d-ab59-4310-b336-79bd98164f00", "createdDateTime": "2023-04-26T18:51:58.1043+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "4765445b-32c6-49b0-83e6-1d93765276ca", "appDisplayName": "OfficeHome", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.49.1.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "0c04835d-298c-499d-8be0-cbc88fc59544", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "aba7014d-ab59-4310-b336-79bd98164f00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"OfficeHome.All\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 104, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "OfficeHome", "resourceId": "4765445b-32c6-49b0-83e6-1d93765276ca", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:51:58.1043+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "TQGnq1mrEEOzNnm9mBZPAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:51:57.7877486Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "169cfe8b-6339-463c-9f3a-8dfd65ed0ea9", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "7fc0c067-e6ec-4c72-b121-8845a0f74100", "createdDateTime": "2023-04-26T18:51:57.7877486+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "4765445b-32c6-49b0-83e6-1d93765276ca", "appDisplayName": "OfficeHome", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "169cfe8b-6339-463c-9f3a-8dfd65ed0ea9", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "7fc0c067-e6ec-4c72-b121-8845a0f74100", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Login Hint Present", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 112, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "OfficeHome", "resourceId": "4765445b-32c6-49b0-83e6-1d93765276ca", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-26T18:51:57.7877486+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 0}, {"authenticationStepDateTime": "2023-04-26T18:51:57.7877486+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "Z8DAf-zmckyxIYhFoPdBAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:51:06.3796232Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.91.19", "correlationId": "07b5148a-af9a-4844-b0ba-051d9af5ca55", "Level": 4, "location": "US", "properties": {"id": "3e2b62f5-4f12-4eba-b430-b32943ae4000", "createdDateTime": "2023-04-26T18:51:06.3796232+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.91.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "07b5148a-af9a-4844-b0ba-051d9af5ca55", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "9WIrPhJPuk60MLMpQ65AAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:50:15.1051644Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "86fd5bfb-7ad6-4c66-8c42-e808da02dc98", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "72d221f1-2edf-4099-8a81-817e48ce5c00", "createdDateTime": "2023-04-26T18:50:15.1051644+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "86fd5bfb-7ad6-4c66-8c42-e808da02dc98", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "72d221f1-2edf-4099-8a81-817e48ce5c00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"AccessReview.ReadWrite.All\",\"AuditLog.Read.All\",\"ConsentRequest.ReadWrite.All\",\"Directory.AccessAsUser.All\",\"Directory.Read.All\",\"Directory.ReadWrite.All\",\"email\",\"EntitlementManagement.Read.All\",\"Group.ReadWrite.All\",\"IdentityProvider.ReadWrite.All\",\"IdentityRiskEvent.ReadWrite.All\",\"IdentityUserFlow.Read.All\",\"openid\",\"Policy.Read.All\",\"Policy.ReadWrite.AuthenticationFlows\",\"Policy.ReadWrite.AuthenticationMethod\",\"Policy.ReadWrite.ConditionalAccess\",\"Policy.ReadWrite.MobilityManagement\",\"profile\",\"Reports.Read.All\",\"RoleManagement.ReadWrite.Directory\",\"SecurityEvents.ReadWrite.All\",\"TrustFrameworkKeySet.Read.All\",\"User.Export.All\",\"User.ReadWrite.All\",\"UserAuthenticationMethod.ReadWrite.All\",\"Directory.Write.Restricted\",\"DirectoryRecommendations.Read.All\",\"DirectoryRecommendations.ReadWrite.All\",\"Policy.Read.IdentityProtection\",\"Policy.ReadWrite.ExternalIdentities\",\"Policy.ReadWrite.IdentityProtection\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 127, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "8SHSct8umUCKgYF-SM5cAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:50:14.8626735Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "c4e433d7-5882-4d5d-bdaa-35a93be3b7d2", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "70a669da-b058-4e67-bcf3-a996628f4400", "createdDateTime": "2023-04-26T18:50:14.8626735+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "c4e433d7-5882-4d5d-bdaa-35a93be3b7d2", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "70a669da-b058-4e67-bcf3-a996628f4400", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 118, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "2mmmcFiwZ06886mWYo9EAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:50:14.8506783Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "839ddc38-af75-480c-a524-84ada9e7ce85", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "bf3fa33c-59a3-4477-9696-2f9509d64000", "createdDateTime": "2023-04-26T18:50:14.8506783+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "839ddc38-af75-480c-a524-84ada9e7ce85", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "bf3fa33c-59a3-4477-9696-2f9509d64000", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 100, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "PKM_v6NZd0SWli-VCdZAAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}
{"time": "2023-04-26T18:50:14.8241449Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.1", "correlationId": "ed393d24-37fb-41c6-a39a-073554cdba68", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "72d221f1-2edf-4099-8a81-817e41ce5c00", "createdDateTime": "2023-04-26T18:50:14.8241449+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.1", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 42.3333333322, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "ed393d24-37fb-41c6-a39a-073554cdba68", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "72d221f1-2edf-4099-8a81-817e41ce5c00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 94, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "8SHSct8umUCKgYF-Qc5cAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}}