{"time": "2023-04-28T18:16:06.3212348Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "02ae30f0-84cb-4c1e-b8d8-26db58631064", "Level": 4, "location": "US", "properties": {"id": "c914a1ee-1aa2-4326-adf6-40d593129100", "createdDateTime": "2023-04-28T18:16:06.3212348+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "02ae30f0-84cb-4c1e-b8d8-26db58631064", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "7qEUyaIaJkOt9kDVkxKRAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T18:11:06.0688467Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "f1584370-925c-40c3-9c7e-51cea3bb264a", "Level": 4, "location": "US", "properties": {"id": "ca1ad65d-57f6-496f-bf29-019eac983100", "createdDateTime": "2023-04-28T18:11:06.0688467+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "f1584370-925c-40c3-9c7e-51cea3bb264a", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "XdYayvZXb0m_KQGerJgxAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T18:06:06.2874591Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "a6c0dfce-be5a-4973-8adf-9f780c6d30bb", "Level": 4, "location": "US", "properties": {"id": "6053e0a1-7857-414d-8f30-afa9eaae8500", "createdDateTime": "2023-04-28T18:06:06.2874591+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "a6c0dfce-be5a-4973-8adf-9f780c6d30bb", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "oeBTYFd4TUGPMK-p6q6FAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T18:01:06.2826908Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "be972800-fa37-4198-af26-e74cce0d6725", "Level": 4, "location": "US", "properties": {"id": "635e4195-c992-437b-9afd-666697b78400", "createdDateTime": "2023-04-28T18:01:06.2826908+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "be972800-fa37-4198-af26-e74cce0d6725", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "lUFeY5LJe0Oa_WZml7eEAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T17:56:06.1852410Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "025488f7-1a27-4e6d-9a85-e5b7bc59b34b", "Level": 4, "location": "US", "properties": {"id": "ccea7659-71e1-4c77-994e-d11433b6bc00", "createdDateTime": "2023-04-28T17:56:06.185241+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "025488f7-1a27-4e6d-9a85-e5b7bc59b34b", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "WXbqzOFxd0yZTtEUM7a8AA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T17:51:06.1823539Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "6f24e31f-ef23-4205-bd23-398784aa933a", "Level": 4, "location": "US", "properties": {"id": "15c6b6f5-b938-4f89-a08c-126a03db8b00", "createdDateTime": "2023-04-28T17:51:06.1823539+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "6f24e31f-ef23-4205-bd23-398784aa933a", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "9bbGFTi5iU-gjBJqA9uLAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T17:46:06.1003756Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "41884624-d160-465f-8af1-db8d7e256e5d", "Level": 4, "location": "US", "properties": {"id": "80e3f984-6da1-4620-91b3-02de2107a600", "createdDateTime": "2023-04-28T17:46:06.1003756+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "41884624-d160-465f-8af1-db8d7e256e5d", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "hPnjgKFtIEaRswLeIQemAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T17:41:06.1459728Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "22896ba8-e223-425d-b173-8711f64edac0", "Level": 4, "location": "US", "properties": {"id": "99a95d3e-cccf-41ae-a373-7eb9e1408900", "createdDateTime": "2023-04-28T17:41:06.1459728+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "22896ba8-e223-425d-b173-8711f64edac0", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "Pl2pmc_MrkGjc3654UCJAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T17:39:14.2046873Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "75656a68-f4b0-4e22-b4ec-d441e92fd891", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "3221e34c-676d-4c54-86ec-af3038c29900", "createdDateTime": "2023-04-28T17:39:14.2046873+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "75656a68-f4b0-4e22-b4ec-d441e92fd891", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "3221e34c-676d-4c54-86ec-af3038c29900", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 325, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "TOMhMm1nVEyG7K8wOMKZAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T17:36:06.3647132Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "d15de9e2-2e0b-4dc3-b71a-18ae1fd562ac", "Level": 4, "location": "US", "properties": {"id": "4df2a1af-9010-4b94-9b9d-a39b62f45a00", "createdDateTime": "2023-04-28T17:36:06.3647132+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "d15de9e2-2e0b-4dc3-b71a-18ae1fd562ac", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "r6HyTRCQlEubnaObYvRaAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T17:31:06.1554453Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "90f32b00-afc0-4e99-9ec9-6dce3c1710fe", "Level": 4, "location": "US", "properties": {"id": "1fb22e10-bb8c-46bd-a6e6-5cb46a368800", "createdDateTime": "2023-04-28T17:31:06.1554453+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "90f32b00-afc0-4e99-9ec9-6dce3c1710fe", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "EC6yH4y7vUam5ly0ajaIAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T17:26:06.0879974Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "ca8f3f91-e295-4e71-b38b-d46560c437ce", "Level": 4, "location": "US", "properties": {"id": "951ae20f-0f5f-48d0-9256-02b35461c100", "createdDateTime": "2023-04-28T17:26:06.0879974+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "ca8f3f91-e295-4e71-b38b-d46560c437ce", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "D-IalV8P0EiSVgKzVGHBAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T17:25:12.4288384Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "e207a897-bed8-4278-839f-62985b7b0bba", "Level": 4, "location": "US", "properties": {"id": "e7b8a65c-5f2b-4efc-b41c-48b1f86d0200", "createdDateTime": "2023-04-28T17:25:12.4288384+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "e207a897-bed8-4278-839f-62985b7b0bba", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": ""}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Microsoft.EventHubs", "resourceId": "80369ed6-5f11-4dd9-bef3-692475845e77", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "XKa45ytf_E60HEix-G0CAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T17:21:06.1318811Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "24f5811e-8ca9-403b-be68-bb5adf2c305e", "Level": 4, "location": "US", "properties": {"id": "eab82b99-08d4-4f61-bef4-836c18064500", "createdDateTime": "2023-04-28T17:21:06.1318811+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "24f5811e-8ca9-403b-be68-bb5adf2c305e", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "mSu46tQIYU--9INsGAZFAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T17:16:52.3080937Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "7b1288f6-5fd8-4c60-9b8b-c0c830341de2", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "3cfc043c-0ebd-4773-b841-7ec513f19900", "createdDateTime": "2023-04-28T17:16:52.3080937+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "7b1288f6-5fd8-4c60-9b8b-c0c830341de2", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "3cfc043c-0ebd-4773-b841-7ec513f19900", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 304, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "PAT8PL0Oc0e4QX7FE_GZAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T17:16:06.2534794Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "c4306efc-f852-417d-8ff1-2ce9fced3f28", "Level": 4, "location": "US", "properties": {"id": "539f31f7-90af-4876-8d9d-d734f9317900", "createdDateTime": "2023-04-28T17:16:06.2534794+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "c4306efc-f852-417d-8ff1-2ce9fced3f28", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "9zGfU6-QdkiNndc0-TF5AA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T17:11:06.2710219Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "5e17bb7b-eb87-47cd-9f1d-6d60d5875e36", "Level": 4, "location": "US", "properties": {"id": "6053e0a1-7857-414d-8f30-afa9f5208400", "createdDateTime": "2023-04-28T17:11:06.2710219+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "5e17bb7b-eb87-47cd-9f1d-6d60d5875e36", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "oeBTYFd4TUGPMK-p9SCEAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T17:06:06.2373786Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "8d33a4ab-0779-4525-bf95-19100fabbd3f", "Level": 4, "location": "US", "properties": {"id": "df0fee0b-741a-4041-9f97-e6780fc38d00", "createdDateTime": "2023-04-28T17:06:06.2373786+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "8d33a4ab-0779-4525-bf95-19100fabbd3f", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "C-4P3xp0QUCfl-Z4D8ONAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T17:01:06.3282743Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "d0a8f5c1-0dcc-4024-bcb3-ce443facff9a", "Level": 4, "location": "US", "properties": {"id": "9f5d2dfa-8c1c-427a-8968-6046299bae00", "createdDateTime": "2023-04-28T17:01:06.3282743+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "d0a8f5c1-0dcc-4024-bcb3-ce443facff9a", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "-i1dnxyMekKJaGBGKZuuAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T16:56:06.1183287Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "3119c5ff-66db-4217-a0cd-3ac60ec57d3c", "Level": 4, "location": "US", "properties": {"id": "210bbc61-b354-44a8-a6ba-42d75e6b9800", "createdDateTime": "2023-04-28T16:56:06.1183287+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "3119c5ff-66db-4217-a0cd-3ac60ec57d3c", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "YbwLIVSzqESmukLXXmuYAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T16:51:06.1458871Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "7454342c-78ef-4396-804b-70bb8dde7572", "Level": 4, "location": "US", "properties": {"id": "1b683c87-d7e8-4f3b-b656-c1fbfc34b800", "createdDateTime": "2023-04-28T16:51:06.1458871+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "7454342c-78ef-4396-804b-70bb8dde7572", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "hzxoG-jXO0-2VsH7_DS4AA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T16:46:06.1083085Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "3a4598a8-1aca-49bf-8373-c2557fb1f0ff", "Level": 4, "location": "US", "properties": {"id": "d0c5437f-a79f-461b-9ee6-ecbad9667600", "createdDateTime": "2023-04-28T16:46:06.1083085+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "3a4598a8-1aca-49bf-8373-c2557fb1f0ff", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "f0PF0J-nG0ae5uy62WZ2AA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T16:42:50.4238812Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Remove eligible member from role in PIM completed (permanent)", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "2687f252-0fe6-4351-99b2-82a202ada884", "identity": "Splunk Threat Research", "Level": 4, "properties": {"id": "PIM_2687f252-0fe6-4351-99b2-82a202ada884_WJE8B_74156412", "category": "RoleManagement", "correlationId": "2687f252-0fe6-4351-99b2-82a202ada884", "result": "success", "resultReason": null, "activityDisplayName": "Remove eligible member from role in PIM completed (permanent)", "activityDateTime": "2023-04-28T16:42:50.4238812+00:00", "loggedByService": "PIM", "operationType": "AdminRemovePermanentEligibleRole", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": "Splunk Threat Research", "userPrincipalName": "", "ipAddress": null, "roles": []}}, "targetResources": [{"id": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3", "displayName": "Application Administrator", "type": "Role", "modifiedProperties": [{"displayName": "RoleDefinitionOriginId", "oldValue": "\"\"", "newValue": "\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\""}, {"displayName": "RoleDefinitionOriginType", "oldValue": "\"\"", "newValue": "\"BuiltInRole\""}, {"displayName": "TemplateId", "oldValue": "\"\"", "newValue": "\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\""}], "administrativeUnits": []}, {"id": "kl2Jm9Msx0SdAqasLV6lw1dNZg3uo0lAhkIoClxyQ-8-1-e", "displayName": null, "type": "RoleAssignment", "modifiedProperties": [], "administrativeUnits": []}, {"id": "0d664d57-a3ee-4049-8642-280a5c7243ef", "displayName": "User1", "type": "User", "userPrincipalName": "User1@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}, {"id": "fc69e276-e9e8-4af9-9002-1e410d77244e", "displayName": "Default Directory", "type": "Directory", "modifiedProperties": [], "administrativeUnits": []}, {"id": "00000000-0000-0000-0000-000000000001", "displayName": "Azure AD Directory Roles", "type": "Provider", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "RoleDefinitionOriginId", "value": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"}, {"key": "RoleDefinitionOriginType", "value": "BuiltInRole"}, {"key": "TemplateId", "value": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"}, {"key": "oid", "value": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce"}, {"key": "tid", "value": "fc69e276-e9e8-4af9-9002-1e410d77244e"}, {"key": "wids", "value": "62e90394-69f5-4237-9190-012177145e10,b79fbf4d-3ef9-4689-8143-76b194e85509"}, {"key": "ipaddr", "value": "72.1.1.35"}]}} {"time": "2023-04-28T16:42:50.3503273Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Remove eligible member from role", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "52.167.72.132", "correlationId": "b23a5918-2a10-4ff6-b8d7-4f93b081f9d7", "identity": "MS-PIM", "Level": 4, "properties": {"id": "Directory_b23a5918-2a10-4ff6-b8d7-4f93b081f9d7_1R8RQ_86162880", "category": "RoleManagement", "correlationId": "b23a5918-2a10-4ff6-b8d7-4f93b081f9d7", "result": "success", "resultReason": "", "activityDisplayName": "Remove eligible member from role", "activityDateTime": "2023-04-28T16:42:50.3503273+00:00", "loggedByService": "Core Directory", "operationType": "Unassign", "userAgent": null, "initiatedBy": {"app": {"appId": null, "displayName": "MS-PIM", "servicePrincipalId": "26439afb-f5b9-4e51-a821-05b24506b262", "servicePrincipalName": null}}, "targetResources": [{"id": "0d664d57-a3ee-4049-8642-280a5c7243ef", "displayName": null, "type": "User", "userPrincipalName": "User1@splunkresearch.com", "modifiedProperties": [{"displayName": "Role.ObjectID", "oldValue": "\"38bf5baf-7ec7-4bc2-8920-6d4044da12c2\"", "newValue": null}, {"displayName": "Role.DisplayName", "oldValue": "\"Application Administrator\"", "newValue": null}, {"displayName": "Role.TemplateId", "oldValue": "\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\"", "newValue": null}, {"displayName": "Role.WellKnownObjectName", "oldValue": "\"ApplicationAdministrators\"", "newValue": null}], "administrativeUnits": []}, {"id": "38bf5baf-7ec7-4bc2-8920-6d4044da12c2", "displayName": null, "type": "Role", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Microsoft Azure Graph Client Library 2.1.26-internal"}]}} {"time": "2023-04-28T16:42:49.5848757Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Remove eligible member from role in PIM requested (permanent)", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "2687f252-0fe6-4351-99b2-82a202ada884", "identity": "Splunk Threat Research", "Level": 4, "properties": {"id": "PIM_2687f252-0fe6-4351-99b2-82a202ada884_WJE8B_74155633", "category": "RoleManagement", "correlationId": "2687f252-0fe6-4351-99b2-82a202ada884", "result": "success", "resultReason": null, "activityDisplayName": "Remove eligible member from role in PIM requested (permanent)", "activityDateTime": "2023-04-28T16:42:49.5848757+00:00", "loggedByService": "PIM", "operationType": "CreateRequestPermanentEligibleRoleRemoval", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": "Splunk Threat Research", "userPrincipalName": "", "ipAddress": null, "roles": []}}, "targetResources": [{"id": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3", "displayName": "Application Administrator", "type": "Role", "modifiedProperties": [{"displayName": "RoleDefinitionOriginId", "oldValue": "\"\"", "newValue": "\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\""}, {"displayName": "RoleDefinitionOriginType", "oldValue": "\"\"", "newValue": "\"BuiltInRole\""}, {"displayName": "TemplateId", "oldValue": "\"\"", "newValue": "\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\""}], "administrativeUnits": []}, {"id": "28611e31-42db-4051-85b9-c26ab2d2ae3b", "displayName": null, "type": "Request", "modifiedProperties": [], "administrativeUnits": []}, {"id": "0d664d57-a3ee-4049-8642-280a5c7243ef", "displayName": "User1", "type": "User", "userPrincipalName": "User1@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}, {"id": "fc69e276-e9e8-4af9-9002-1e410d77244e", "displayName": "Default Directory", "type": "Directory", "modifiedProperties": [], "administrativeUnits": []}, {"id": "00000000-0000-0000-0000-000000000001", "displayName": "Azure AD Directory Roles", "type": "Provider", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "RoleDefinitionOriginId", "value": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"}, {"key": "RoleDefinitionOriginType", "value": "BuiltInRole"}, {"key": "TemplateId", "value": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"}, {"key": "StartTime", "value": "2023-04-28T16:42:49.5848757Z"}, {"key": "oid", "value": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce"}, {"key": "tid", "value": "fc69e276-e9e8-4af9-9002-1e410d77244e"}, {"key": "wids", "value": "62e90394-69f5-4237-9190-012177145e10,b79fbf4d-3ef9-4689-8143-76b194e85509"}, {"key": "ipaddr", "value": "72.1.1.35"}]}} {"time": "2023-04-28T16:41:06.1471349Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "0d44a6ef-27ad-4e44-bace-4190234950e3", "Level": 4, "location": "US", "properties": {"id": "fbcb5f75-b285-474d-90b0-95784eb91500", "createdDateTime": "2023-04-28T16:41:06.1471349+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "0d44a6ef-27ad-4e44-bace-4190234950e3", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "dV_L-4WyTUeQsJV4TrkVAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T16:40:56.4923307Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add member to role outside of PIM (permanent)", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "13e7fde8-cdea-40ad-aaef-51bb809ec3b9", "identity": "Splunk Threat Research", "Level": 4, "properties": {"id": "PIM_13e7fde8-cdea-40ad-aaef-51bb809ec3b9_YS8NP_1381363", "category": "RoleManagement", "correlationId": "13e7fde8-cdea-40ad-aaef-51bb809ec3b9", "result": "success", "resultReason": null, "activityDisplayName": "Add member to role outside of PIM (permanent)", "activityDateTime": "2023-04-28T16:40:56.4923307+00:00", "loggedByService": "PIM", "operationType": "RoleElevatedOutsidePimAlert", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": "Splunk Threat Research", "userPrincipalName": "strt_admin_splunkresearch.com#EXT#@strtadminsplunkresearch.onmicrosoft.com", "ipAddress": null, "roles": []}}, "targetResources": [{"id": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3", "displayName": "Application Administrator", "type": "Role", "modifiedProperties": [{"displayName": "RoleDefinitionOriginId", "oldValue": "\"\"", "newValue": "\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\""}, {"displayName": "RoleDefinitionOriginType", "oldValue": "\"\"", "newValue": "\"BuiltInRole\""}, {"displayName": "TemplateId", "oldValue": "\"\"", "newValue": "\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\""}], "administrativeUnits": []}, {"id": "ee65f285-c23d-4093-bb11-7102f08bbdf0", "displayName": null, "type": "Request", "modifiedProperties": [], "administrativeUnits": []}, {"id": "0d664d57-a3ee-4049-8642-280a5c7243ef", "displayName": "User1", "type": "User", "userPrincipalName": "User1@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}, {"id": "fc69e276-e9e8-4af9-9002-1e410d77244e", "displayName": "Default Directory", "type": "Directory", "modifiedProperties": [], "administrativeUnits": []}, {"id": "00000000-0000-0000-0000-000000000001", "displayName": "Azure AD Directory Roles", "type": "Provider", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "RoleDefinitionOriginId", "value": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"}, {"key": "RoleDefinitionOriginType", "value": "BuiltInRole"}, {"key": "TemplateId", "value": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"}, {"key": "StartTime", "value": "2023-04-28T16:39:51.9302630Z"}, {"key": "oid", "value": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce"}, {"key": "tid", "value": "fc69e276-e9e8-4af9-9002-1e410d77244e"}]}} {"time": "2023-04-28T16:39:51.9312625Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add member to role", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "52.177.250.168", "correlationId": "b425f2d7-2245-4952-b599-61dff8054f2b", "Level": 4, "properties": {"id": "Directory_b425f2d7-2245-4952-b599-61dff8054f2b_FLAW0_72812697", "category": "RoleManagement", "correlationId": "b425f2d7-2245-4952-b599-61dff8054f2b", "result": "success", "resultReason": "", "activityDisplayName": "Add member to role", "activityDateTime": "2023-04-28T16:39:51.9312625+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": null, "userPrincipalName": "strt_admin@splunkresearch.com", "ipAddress": "52.177.250.168", "roles": []}}, "targetResources": [{"id": "0d664d57-a3ee-4049-8642-280a5c7243ef", "displayName": null, "type": "User", "userPrincipalName": "User1@splunkresearch.com", "modifiedProperties": [{"displayName": "Role.ObjectID", "oldValue": null, "newValue": "\"38bf5baf-7ec7-4bc2-8920-6d4044da12c2\""}, {"displayName": "Role.DisplayName", "oldValue": null, "newValue": "\"Privileged Role Administrator\""}, {"displayName": "Role.TemplateId", "oldValue": null, "newValue": "\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\""}, {"displayName": "Role.WellKnownObjectName", "oldValue": null, "newValue": "\"ApplicationAdministrators\""}], "administrativeUnits": []}, {"id": "38bf5baf-7ec7-4bc2-8920-6d4044da12c2", "displayName": null, "type": "Role", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": []}} {"time": "2023-04-28T16:39:51.5757354Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "95163499-7d6a-4838-8f5d-7f8953914517", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "01db8bd3-3281-4600-b9a6-3c7556275e00", "createdDateTime": "2023-04-28T16:39:51.5757354+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "95163499-7d6a-4838-8f5d-7f8953914517", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "01db8bd3-3281-4600-b9a6-3c7556275e00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 83, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "04vbAYEyAEa5pjx1VideAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:39:42.3652520Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "f163210d-4501-4ebd-a3e9-7f216d386581", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "1d709336-e7eb-4184-8f40-7cc4ff036d00", "createdDateTime": "2023-04-28T16:39:42.365252+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "f163210d-4501-4ebd-a3e9-7f216d386581", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "1d709336-e7eb-4184-8f40-7cc4ff036d00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 107, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "NpNwHevnhEGPQHzE_wNtAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:39:29.4699896Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "be9e0608-20e2-40c3-a008-229f008cf831", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "a7fc5671-6287-4dd4-8b58-0ca19b0eb700", "createdDateTime": "2023-04-28T16:39:29.4699896+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "bb8f18b0-9c38-48c9-a847-e1ef3af0602d", "appDisplayName": "Microsoft.Azure.ActiveDirectoryIUX", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "be9e0608-20e2-40c3-a008-229f008cf831", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "a7fc5671-6287-4dd4-8b58-0ca19b0eb700", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 308, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "cVb8p4di1E2LWAyhmw63AA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:38:10.1577107Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add eligible member to role in PIM completed (permanent)", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "4332b9d9-431e-4693-8584-8547cf5bc7d5", "identity": "Splunk Threat Research", "Level": 4, "properties": {"id": "PIM_4332b9d9-431e-4693-8584-8547cf5bc7d5_FNY0U_68747214", "category": "RoleManagement", "correlationId": "4332b9d9-431e-4693-8584-8547cf5bc7d5", "result": "success", "resultReason": null, "activityDisplayName": "Add eligible member to role in PIM completed (permanent)", "activityDateTime": "2023-04-28T16:38:10.1577107+00:00", "loggedByService": "PIM", "operationType": "AssignPermanentEligibleRole", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": "Splunk Threat Research", "userPrincipalName": "", "ipAddress": null, "roles": []}}, "targetResources": [{"id": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3", "displayName": "Application Administrator", "type": "Role", "modifiedProperties": [{"displayName": "RoleDefinitionOriginId", "oldValue": "\"\"", "newValue": "\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\""}, {"displayName": "RoleDefinitionOriginType", "oldValue": "\"\"", "newValue": "\"BuiltInRole\""}, {"displayName": "TemplateId", "oldValue": "\"\"", "newValue": "\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\""}], "administrativeUnits": []}, {"id": "353917a3-275b-425a-baf5-c5e83828b337", "displayName": null, "type": "Request", "modifiedProperties": [], "administrativeUnits": []}, {"id": "0d664d57-a3ee-4049-8642-280a5c7243ef", "displayName": "User1", "type": "User", "userPrincipalName": "User1@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}, {"id": "fc69e276-e9e8-4af9-9002-1e410d77244e", "displayName": "Default Directory", "type": "Directory", "modifiedProperties": [], "administrativeUnits": []}, {"id": "00000000-0000-0000-0000-000000000001", "displayName": "Azure AD Directory Roles", "type": "Provider", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "RoleDefinitionOriginId", "value": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"}, {"key": "RoleDefinitionOriginType", "value": "BuiltInRole"}, {"key": "TemplateId", "value": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"}, {"key": "StartTime", "value": "2023-04-28T16:38:09.6906905Z"}, {"key": "oid", "value": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce"}, {"key": "tid", "value": "fc69e276-e9e8-4af9-9002-1e410d77244e"}, {"key": "wids", "value": "62e90394-69f5-4237-9190-012177145e10,b79fbf4d-3ef9-4689-8143-76b194e85509"}, {"key": "ipaddr", "value": "72.1.1.35"}]}} {"time": "2023-04-28T16:38:09.9293748Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add eligible member to role", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "52.167.72.132", "correlationId": "ca38dc3e-848a-46c6-821a-d53b69914a75", "identity": "MS-PIM", "Level": 4, "properties": {"id": "Directory_ca38dc3e-848a-46c6-821a-d53b69914a75_1R8RQ_85573447", "category": "RoleManagement", "correlationId": "ca38dc3e-848a-46c6-821a-d53b69914a75", "result": "success", "resultReason": "", "activityDisplayName": "Add eligible member to role", "activityDateTime": "2023-04-28T16:38:09.9293748+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"app": {"appId": null, "displayName": "MS-PIM", "servicePrincipalId": "26439afb-f5b9-4e51-a821-05b24506b262", "servicePrincipalName": null}}, "targetResources": [{"id": "0d664d57-a3ee-4049-8642-280a5c7243ef", "displayName": null, "type": "User", "userPrincipalName": "User1@splunkresearch.com", "modifiedProperties": [{"displayName": "Role.ObjectID", "oldValue": null, "newValue": "\"38bf5baf-7ec7-4bc2-8920-6d4044da12c2\""}, {"displayName": "Role.DisplayName", "oldValue": null, "newValue": "\"Privileged Role Administrator\""}, {"displayName": "Role.TemplateId", "oldValue": null, "newValue": "\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\""}, {"displayName": "Role.WellKnownObjectName", "oldValue": null, "newValue": "\"ApplicationAdministrators\""}], "administrativeUnits": []}, {"id": "38bf5baf-7ec7-4bc2-8920-6d4044da12c2", "displayName": null, "type": "Role", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Microsoft Azure Graph Client Library 2.1.26-internal"}]}} {"time": "2023-04-28T16:38:09.5616855Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add eligible member to role in PIM requested (permanent)", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "4332b9d9-431e-4693-8584-8547cf5bc7d5", "identity": "Splunk Threat Research", "Level": 4, "properties": {"id": "PIM_4332b9d9-431e-4693-8584-8547cf5bc7d5_FNY0U_68746610", "category": "RoleManagement", "correlationId": "4332b9d9-431e-4693-8584-8547cf5bc7d5", "result": "success", "resultReason": null, "activityDisplayName": "Add eligible member to role in PIM requested (permanent)", "activityDateTime": "2023-04-28T16:38:09.5616855+00:00", "loggedByService": "PIM", "operationType": "CreateRequestPermanentEligibleRole", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": "Splunk Threat Research", "userPrincipalName": "", "ipAddress": null, "roles": []}}, "targetResources": [{"id": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3", "displayName": "Application Administrator", "type": "Role", "modifiedProperties": [{"displayName": "RoleDefinitionOriginId", "oldValue": "\"\"", "newValue": "\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\""}, {"displayName": "RoleDefinitionOriginType", "oldValue": "\"\"", "newValue": "\"BuiltInRole\""}, {"displayName": "TemplateId", "oldValue": "\"\"", "newValue": "\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\""}], "administrativeUnits": []}, {"id": "353917a3-275b-425a-baf5-c5e83828b337", "displayName": null, "type": "Request", "modifiedProperties": [], "administrativeUnits": []}, {"id": "0d664d57-a3ee-4049-8642-280a5c7243ef", "displayName": "User1", "type": "User", "userPrincipalName": "User1@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}, {"id": "fc69e276-e9e8-4af9-9002-1e410d77244e", "displayName": "Default Directory", "type": "Directory", "modifiedProperties": [], "administrativeUnits": []}, {"id": "00000000-0000-0000-0000-000000000001", "displayName": "Azure AD Directory Roles", "type": "Provider", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "RoleDefinitionOriginId", "value": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"}, {"key": "RoleDefinitionOriginType", "value": "BuiltInRole"}, {"key": "TemplateId", "value": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"}, {"key": "StartTime", "value": "2023-04-28T16:38:00.4370000Z"}, {"key": "oid", "value": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce"}, {"key": "tid", "value": "fc69e276-e9e8-4af9-9002-1e410d77244e"}, {"key": "wids", "value": "62e90394-69f5-4237-9190-012177145e10,b79fbf4d-3ef9-4689-8143-76b194e85509"}, {"key": "ipaddr", "value": "72.1.1.35"}]}} {"time": "2023-04-28T16:37:55.5495887Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "1db660e4-6f70-4cf7-bbd2-7158bd50caf2", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "f2ba8f06-65c7-4b99-a32f-7b3a55de5d00", "createdDateTime": "2023-04-28T16:37:55.5495887+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "50aaa389-5a33-4f1a-91d7-2c45ecd8dac8", "appDisplayName": "Microsoft_Azure_PIMCommon", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "1db660e4-6f70-4cf7-bbd2-7158bd50caf2", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "f2ba8f06-65c7-4b99-a32f-7b3a55de5d00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 226, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "MS-PIM", "resourceId": "01fc33a7-78ba-4d2f-a4b7-768e336e890e", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "Bo-68sdlmUujL3s6Vd5dAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "26439afb-f5b9-4e51-a821-05b24506b262", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:37:54.6669005Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "8e03c99e-7a5b-4a35-8c48-d8cfc71c8444", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "92880f27-40c5-4469-acd7-1b7c5d26a900", "createdDateTime": "2023-04-28T16:37:54.6669005+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "f9885e6e-6f74-46b3-b595-350157a27541", "appDisplayName": "Microsoft_AAD_UsersAndTenants", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "8e03c99e-7a5b-4a35-8c48-d8cfc71c8444", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "92880f27-40c5-4469-acd7-1b7c5d26a900", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 154, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "MS-PIM", "resourceId": "01fc33a7-78ba-4d2f-a4b7-768e336e890e", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "Jw-IksVAaUSs1xt8XSapAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "26439afb-f5b9-4e51-a821-05b24506b262", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:37:38.9638181Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "99553c61-601f-4ae1-a0a5-f1a2bf642280", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "5ebaa42e-e77d-4f02-85b9-5384fe2c5100", "createdDateTime": "2023-04-28T16:37:38.9638181+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "99553c61-601f-4ae1-a0a5-f1a2bf642280", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "5ebaa42e-e77d-4f02-85b9-5384fe2c5100", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 83, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "LqS6Xn3nAk-FuVOE_ixRAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:37:38.7573711Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "11ff701a-c632-4141-9be1-65c849ed02d3", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "c23dfb20-e0c6-484a-9b77-eb58a1cb9000", "createdDateTime": "2023-04-28T16:37:38.7573711+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "f9885e6e-6f74-46b3-b595-350157a27541", "appDisplayName": "Microsoft_AAD_UsersAndTenants", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "11ff701a-c632-4141-9be1-65c849ed02d3", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "c23dfb20-e0c6-484a-9b77-eb58a1cb9000", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 375, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "IPs9wsbgSkibd-tYocuQAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:37:38.7252768Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "7d52fbe8-4b06-4ba3-8154-783d0412fe97", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "7f68b2a0-d282-4cc5-b9f7-d0554ddfb200", "createdDateTime": "2023-04-28T16:37:38.7252768+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "f9885e6e-6f74-46b3-b595-350157a27541", "appDisplayName": "Microsoft_AAD_UsersAndTenants", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "7d52fbe8-4b06-4ba3-8154-783d0412fe97", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "7f68b2a0-d282-4cc5-b9f7-d0554ddfb200", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"AdministrativeUnit.ReadWrite.All\",\"AuditLog.Read.All\",\"Directory.AccessAsUser.All\",\"email\",\"openid\",\"Organization.Read.All\",\"Policy.ReadWrite.Authorization\",\"profile\",\"User.ReadWrite.All\",\"Directory.Write.Restricted\",\"User.EnableDisableAccount.All\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 359, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "oLJof4LSxUy599BVTd-yAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:37:38.7059749Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "f52a7d21-c72f-408d-b121-43366baeda9c", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "46a98b4e-b881-43e0-805f-5dc3ecd14a00", "createdDateTime": "2023-04-28T16:37:38.7059749+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "f9885e6e-6f74-46b3-b595-350157a27541", "appDisplayName": "Microsoft_AAD_UsersAndTenants", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "f52a7d21-c72f-408d-b121-43366baeda9c", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "46a98b4e-b881-43e0-805f-5dc3ecd14a00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 322, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "ADIbizaUX", "resourceId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "ToupRoG44EOAX13D7NFKAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:36:06.3064536Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "438677b4-b2b2-4415-bf4d-590a3d5bb7a9", "Level": 4, "location": "US", "properties": {"id": "568933c9-d10e-4440-b774-fa9500c77700", "createdDateTime": "2023-04-28T16:36:06.3064536+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "438677b4-b2b2-4415-bf4d-590a3d5bb7a9", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "yTOJVg7RQES3dPqVAMd3AA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T16:31:06.2465443Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "48c50907-2762-4491-adcd-2a956f1b6d63", "Level": 4, "location": "US", "properties": {"id": "9d14e234-0bec-4fe8-80b6-ded8b8879500", "createdDateTime": "2023-04-28T16:31:06.2465443+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "48c50907-2762-4491-adcd-2a956f1b6d63", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "NOIUnewL6E-Att7YuIeVAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T16:27:42.3044544Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "5c2cada9-00bf-45ce-8e1f-2b4106cfcec5", "Level": 4, "location": "US", "properties": {"id": "4f00fd1b-6217-43f4-aa22-4105530b9100", "createdDateTime": "2023-04-28T16:27:42.3044544+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "5c2cada9-00bf-45ce-8e1f-2b4106cfcec5", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": ""}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Microsoft.EventHubs", "resourceId": "80369ed6-5f11-4dd9-bef3-692475845e77", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "G_0ATxdi9EOqIkEFUwuRAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T16:26:06.1004193Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "b75ae0e0-f2c6-4855-9c2e-6eaf0cf36523", "Level": 4, "location": "US", "properties": {"id": "f14d6438-9c82-43db-93b3-6935f574aa00", "createdDateTime": "2023-04-28T16:26:06.1004193+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "b75ae0e0-f2c6-4855-9c2e-6eaf0cf36523", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "OGRN8YKc20OTs2k19XSqAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T16:21:06.2883798Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "700ccea5-68c9-4414-b525-16b51c3278fc", "Level": 4, "location": "US", "properties": {"id": "5f762183-8b99-4c36-98e1-b54a389f5600", "createdDateTime": "2023-04-28T16:21:06.2883798+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "700ccea5-68c9-4414-b525-16b51c3278fc", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "gyF2X5mLNkyY4bVKOJ9WAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}} {"time": "2023-04-28T16:20:03.5283239Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "9b9cf54b-2607-4b80-a3ae-660ec6027c8e", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "207a8d2e-303d-46ce-898d-8d2770fc3d00", "createdDateTime": "2023-04-28T16:20:03.5283239+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "9b9cf54b-2607-4b80-a3ae-660ec6027c8e", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "207a8d2e-303d-46ce-898d-8d2770fc3d00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 131, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "Lo16ID0wzkaJjY0ncPw9AA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:19:49.4140679Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add member to role outside of PIM (permanent)", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "da1dd416-b40f-4409-92c0-b00f6666f160", "identity": "Splunk Threat Research", "Level": 4, "properties": {"id": "PIM_da1dd416-b40f-4409-92c0-b00f6666f160_Z52QN_1488882", "category": "RoleManagement", "correlationId": "da1dd416-b40f-4409-92c0-b00f6666f160", "result": "success", "resultReason": null, "activityDisplayName": "Add member to role outside of PIM (permanent)", "activityDateTime": "2023-04-28T16:19:49.4140679+00:00", "loggedByService": "PIM", "operationType": "RoleElevatedOutsidePimAlert", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": "Splunk Threat Research", "userPrincipalName": "strt_admin_splunkresearch.com#EXT#@strtadminsplunkresearch.onmicrosoft.com", "ipAddress": null, "roles": []}}, "targetResources": [{"id": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3", "displayName": "Application Administrator", "type": "Role", "modifiedProperties": [{"displayName": "RoleDefinitionOriginId", "oldValue": "\"\"", "newValue": "\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\""}, {"displayName": "RoleDefinitionOriginType", "oldValue": "\"\"", "newValue": "\"BuiltInRole\""}, {"displayName": "TemplateId", "oldValue": "\"\"", "newValue": "\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\""}], "administrativeUnits": []}, {"id": "599a1e3b-32bf-4617-96be-e341ee7e62d3", "displayName": null, "type": "Request", "modifiedProperties": [], "administrativeUnits": []}, {"id": "c95aeff3-f16a-41b5-ab87-884100c63440", "displayName": "App 5", "type": "ServicePrincipal", "modifiedProperties": [], "administrativeUnits": []}, {"id": "fc69e276-e9e8-4af9-9002-1e410d77244e", "displayName": "Default Directory", "type": "Directory", "modifiedProperties": [], "administrativeUnits": []}, {"id": "00000000-0000-0000-0000-000000000001", "displayName": "Azure AD Directory Roles", "type": "Provider", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "RoleDefinitionOriginId", "value": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"}, {"key": "RoleDefinitionOriginType", "value": "BuiltInRole"}, {"key": "TemplateId", "value": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"}, {"key": "StartTime", "value": "2023-04-28T16:18:15.0700995Z"}, {"key": "oid", "value": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce"}, {"key": "tid", "value": "fc69e276-e9e8-4af9-9002-1e410d77244e"}]}} {"time": "2023-04-28T16:18:15.0700995Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add member to role", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "52.177.250.168", "correlationId": "b35af2b5-fdee-47a5-839e-5b531b45afbc", "Level": 4, "properties": {"id": "Directory_b35af2b5-fdee-47a5-839e-5b531b45afbc_HI5Q3_65942134", "category": "RoleManagement", "correlationId": "b35af2b5-fdee-47a5-839e-5b531b45afbc", "result": "success", "resultReason": "", "activityDisplayName": "Add member to role", "activityDateTime": "2023-04-28T16:18:15.0700995+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": null, "userPrincipalName": "strt_admin@splunkresearch.com", "ipAddress": "52.177.250.168", "roles": []}}, "targetResources": [{"id": "c95aeff3-f16a-41b5-ab87-884100c63440", "displayName": "App 5", "type": "ServicePrincipal", "modifiedProperties": [{"displayName": "Role.ObjectID", "oldValue": null, "newValue": "\"38bf5baf-7ec7-4bc2-8920-6d4044da12c2\""}, {"displayName": "Role.DisplayName", "oldValue": null, "newValue": "\"Privileged Role Administrator\""}, {"displayName": "Role.TemplateId", "oldValue": null, "newValue": "\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\""}, {"displayName": "Role.WellKnownObjectName", "oldValue": null, "newValue": "\"ApplicationAdministrators\""}, {"displayName": "TargetId.ServicePrincipalNames", "oldValue": null, "newValue": "\"6e52f512-52b3-4c05-9d4d-7cd49bdb2709\""}], "administrativeUnits": []}, {"id": "38bf5baf-7ec7-4bc2-8920-6d4044da12c2", "displayName": null, "type": "Role", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "AppId", "value": "6e52f512-52b3-4c05-9d4d-7cd49bdb2709"}]}} {"time": "2023-04-28T16:18:14.7859079Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "8c4466d9-0891-4cd9-9d73-bca04c3e2a93", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "6ae023a1-a34d-40e0-8525-983fc5159000", "createdDateTime": "2023-04-28T16:18:14.7859079+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "8c4466d9-0891-4cd9-9d73-bca04c3e2a93", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "6ae023a1-a34d-40e0-8525-983fc5159000", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 127, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "oSPgak2j4ECFJZg_xRWQAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:18:02.2527034Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "27951c00-fc65-4b14-9510-d8f48a30f508", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "377ff26e-494c-4905-85c3-fe24eb3c9a00", "createdDateTime": "2023-04-28T16:18:02.2527034+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "27951c00-fc65-4b14-9510-d8f48a30f508", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "377ff26e-494c-4905-85c3-fe24eb3c9a00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 107, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "bvJ_N0xJBUmFw_4k6zyaAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:17:02.0056453Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "e3016f02-794c-489a-983e-b43ba139460e", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "92f8e6d6-85cc-4ae0-8d27-a170f0819900", "createdDateTime": "2023-04-28T16:17:02.0056453+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "e3016f02-794c-489a-983e-b43ba139460e", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "92f8e6d6-85cc-4ae0-8d27-a170f0819900", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 106, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "1ub4ksyF4EqNJ6Fw8IGZAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:17:01.8308852Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "4d4ed96e-f050-4f00-9dd3-965cc5626b32", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "a35d19e9-fda7-48d8-9863-bf9c6ce55b00", "createdDateTime": "2023-04-28T16:17:01.8308852+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "appDisplayName": "Microsoft_AAD_RegisteredApps", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "4d4ed96e-f050-4f00-9dd3-965cc5626b32", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "a35d19e9-fda7-48d8-9863-bf9c6ce55b00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Is Client Capable", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 403, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "ADIbizaUX", "resourceId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "6Rldo6f92EiYY7-cbOVbAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:17:01.2310247Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "6b1e8923-6224-42ec-806a-f6f462bd161c", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "be6f6304-7f21-4afa-8b8a-32ffeb048500", "createdDateTime": "2023-04-28T16:17:01.2310247+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "appDisplayName": "Microsoft_AAD_RegisteredApps", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "6b1e8923-6224-42ec-806a-f6f462bd161c", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "be6f6304-7f21-4afa-8b8a-32ffeb048500", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Is Client Capable", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"AdministrativeUnit.Read.All\",\"AdministrativeUnit.ReadWrite.All\",\"Application.Read.All\",\"Application.ReadWrite.All\",\"AppRoleAssignment.ReadWrite.All\",\"DelegatedPermissionGrant.ReadWrite.All\",\"Domain.Read.All\",\"email\",\"openid\",\"Organization.ReadWrite.All\",\"Policy.Read.All\",\"profile\",\"User.Read\",\"User.Read.All\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 404, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "BGNvviF_-kqLijL_6wSFAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:17:00.1965640Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "1d30b018-f7a6-4e00-a4a5-b8149298abae", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "663acc89-f680-4107-a5d3-429b54941f00", "createdDateTime": "2023-04-28T16:17:00.196564+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "appDisplayName": "Microsoft_AAD_RegisteredApps", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "1d30b018-f7a6-4e00-a4a5-b8149298abae", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "663acc89-f680-4107-a5d3-429b54941f00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Is Client Capable", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 298, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "icw6ZoD2B0Gl00KbVJQfAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:16:53.7631960Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "d72ed996-2f78-42de-98f8-399423cbf7df", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "7c6cbac2-c46f-4d28-838a-73d0ff507f00", "createdDateTime": "2023-04-28T16:16:53.763196+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "d72ed996-2f78-42de-98f8-399423cbf7df", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "7c6cbac2-c46f-4d28-838a-73d0ff507f00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"AccessReview.ReadWrite.All\",\"AuditLog.Read.All\",\"ConsentRequest.ReadWrite.All\",\"Directory.AccessAsUser.All\",\"Directory.Read.All\",\"Directory.ReadWrite.All\",\"email\",\"EntitlementManagement.Read.All\",\"Group.ReadWrite.All\",\"IdentityProvider.ReadWrite.All\",\"IdentityRiskEvent.ReadWrite.All\",\"IdentityUserFlow.Read.All\",\"openid\",\"Policy.Read.All\",\"Policy.ReadWrite.AuthenticationFlows\",\"Policy.ReadWrite.AuthenticationMethod\",\"Policy.ReadWrite.ConditionalAccess\",\"Policy.ReadWrite.MobilityManagement\",\"profile\",\"Reports.Read.All\",\"RoleManagement.ReadWrite.Directory\",\"SecurityEvents.ReadWrite.All\",\"TrustFrameworkKeySet.Read.All\",\"User.Export.All\",\"User.ReadWrite.All\",\"UserAuthenticationMethod.ReadWrite.All\",\"Directory.Write.Restricted\",\"DirectoryRecommendations.Read.All\",\"DirectoryRecommendations.ReadWrite.All\",\"Policy.Read.IdentityProtection\",\"Policy.ReadWrite.ExternalIdentities\",\"Policy.ReadWrite.IdentityProtection\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 230, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "wrpsfG_EKE2DinPQ_1B_AA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:16:53.4689617Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "b70cacd3-c782-4963-b09c-08da1e5d6229", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "a95a596c-8c2e-43b9-9b8e-e530da2a8200", "createdDateTime": "2023-04-28T16:16:53.4689617+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "b70cacd3-c782-4963-b09c-08da1e5d6229", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "a95a596c-8c2e-43b9-9b8e-e530da2a8200", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 110, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "bFlaqS6MuUObjuUw2iqCAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:16:53.4630766Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "e9a16587-2c5e-4e8c-b2b8-4f670601330b", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "fabb7bde-d740-4caa-bd35-439379ad9300", "createdDateTime": "2023-04-28T16:16:53.4630766+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "e9a16587-2c5e-4e8c-b2b8-4f670601330b", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "fabb7bde-d740-4caa-bd35-439379ad9300", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 99, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "3nu7-kDXqky9NUOTea2TAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:16:53.4203779Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "ea7a8d76-cf40-4609-9368-fb213e130889", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "264d0500-34ce-470c-8b8a-c6c0d2fa8d00", "createdDateTime": "2023-04-28T16:16:53.4203779+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.36.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "ea7a8d76-cf40-4609-9368-fb213e130889", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "264d0500-34ce-470c-8b8a-c6c0d2fa8d00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 78, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "AAVNJs40DEeLisbA0vqNAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:16:52.9549847Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "becff7a9-16e7-4d4f-ab73-01661f375d6d", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "3f175294-c1d7-4687-a7d3-f868517a9500", "createdDateTime": "2023-04-28T16:16:52.9549847+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "becff7a9-16e7-4d4f-ab73-01661f375d6d", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "3f175294-c1d7-4687-a7d3-f868517a9500", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Is Client Capable", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"AccessReview.ReadWrite.All\",\"AuditLog.Read.All\",\"ConsentRequest.ReadWrite.All\",\"Directory.AccessAsUser.All\",\"Directory.Read.All\",\"Directory.ReadWrite.All\",\"email\",\"EntitlementManagement.Read.All\",\"Group.ReadWrite.All\",\"IdentityProvider.ReadWrite.All\",\"IdentityRiskEvent.ReadWrite.All\",\"IdentityUserFlow.Read.All\",\"openid\",\"Policy.Read.All\",\"Policy.ReadWrite.AuthenticationFlows\",\"Policy.ReadWrite.AuthenticationMethod\",\"Policy.ReadWrite.ConditionalAccess\",\"Policy.ReadWrite.MobilityManagement\",\"profile\",\"Reports.Read.All\",\"RoleManagement.ReadWrite.Directory\",\"SecurityEvents.ReadWrite.All\",\"TrustFrameworkKeySet.Read.All\",\"User.Export.All\",\"User.ReadWrite.All\",\"UserAuthenticationMethod.ReadWrite.All\",\"Directory.Write.Restricted\",\"DirectoryRecommendations.Read.All\",\"DirectoryRecommendations.ReadWrite.All\",\"Policy.Read.IdentityProtection\",\"Policy.ReadWrite.ExternalIdentities\",\"Policy.ReadWrite.IdentityProtection\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 365, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "lFIXP9fBh0an0_hoUXqVAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:16:52.9303479Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "ec35e01a-c672-4c24-bb20-c610b60a13b0", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "b9a035fc-b52a-4dda-9de3-5092587f8300", "createdDateTime": "2023-04-28T16:16:52.9303479+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "ec35e01a-c672-4c24-bb20-c610b60a13b0", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "b9a035fc-b52a-4dda-9de3-5092587f8300", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Is Client Capable", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"restricted_user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 342, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "_DWguSq12k2d41CSWH-DAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:16:52.8508362Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "13b942f5-b946-447f-9b7b-c9ae6f55111d", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "246c6235-96f6-472d-8ee2-9e35585b7f00", "createdDateTime": "2023-04-28T16:16:52.8508362+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "13b942f5-b946-447f-9b7b-c9ae6f55111d", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "246c6235-96f6-472d-8ee2-9e35585b7f00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Is Client Capable", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 301, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "ADIbizaUX", "resourceId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "NWJsJPaWLUeO4p41WFt_AA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:16:52.8114271Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "8cbf9991-7549-4602-83ac-667919d8b2da", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "e7dac394-a143-4618-bc13-1acb81ab7200", "createdDateTime": "2023-04-28T16:16:52.8114271+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "74658136-14ec-4630-ad9b-26e160ff0fc6", "appDisplayName": "ADIbizaUX", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "8cbf9991-7549-4602-83ac-667919d8b2da", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "e7dac394-a143-4618-bc13-1acb81ab7200", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Is Client Capable", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 216, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "IAM Supportability", "resourceId": "a57aca87-cbc0-4f3c-8b9e-dc095fdc8978", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "lMPa50OhGEa8ExrLgatyAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "592cad50-5996-4875-b604-d21539fa4483", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:16:51.5210034Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "5d114379-ce27-43e3-a3d2-e0f63c46e879", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "ca1ad65d-57f6-496f-bf29-019eaf0c2d00", "createdDateTime": "2023-04-28T16:16:51.5210034+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.46.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "5d114379-ce27-43e3-a3d2-e0f63c46e879", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "ca1ad65d-57f6-496f-bf29-019eaf0c2d00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"email\",\"openid\",\"Organization.Read.All\",\"Policy.ReadWrite.ApplicationConfiguration\",\"profile\",\"User.Read\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 680, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Microsoft Graph", "resourceId": "00000003-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "XdYayvZXb0m_KQGerwwtAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "333b3653-e622-4b8a-a55c-b67d878113db", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:16:51.3927156Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "105cf68c-bb83-4a16-81bb-652d767eae6f", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "65be1436-ce6b-4523-930a-bf3e6cbe3b00", "createdDateTime": "2023-04-28T16:16:51.3927156+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "105cf68c-bb83-4a16-81bb-652d767eae6f", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "65be1436-ce6b-4523-930a-bf3e6cbe3b00", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 190, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "NhS-ZWvOI0WTCr8-bL47AA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:16:50.3394371Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "ddc9e41f-4492-4199-82b3-f2ae14b9662f", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "24bc232a-663a-4c4e-aca2-9087a34fa300", "createdDateTime": "2023-04-28T16:16:50.3394371+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Rich Client 4.46.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "ddc9e41f-4492-4199-82b3-f2ae14b9662f", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "24bc232a-663a-4c4e-aca2-9087a34fa300", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"user_impersonation\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 224, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "KiO8JDpmTkysopCHo0-jAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:16:49.9766448Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "72.1.1.35", "correlationId": "f0b14b76-c897-4fa9-99f5-be55def35b57", "identity": "Splunk Threat Research", "Level": 4, "location": "US", "properties": {"id": "dd64f0b9-ad7e-4873-833c-90e8c112a400", "createdDateTime": "2023-04-28T16:16:49.9766448+00:00", "userDisplayName": "Splunk Threat Research", "userPrincipalName": "strt_admin@splunkresearch.com", "userId": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "72.1.1.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 112.0.0"}, "location": {"city": "New York", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 40.76095962524414, "longitude": -73.99759674072266}}, "mfaDetail": {}, "correlationId": "f0b14b76-c897-4fa9-99f5-be55def35b57", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "dd64f0b9-ad7e-4873-833c-90e8c112a400", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Login Hint Present", "value": "True"}, {"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 529, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails": [{"authenticationStepDateTime": "2023-04-28T16:16:49.9766448+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 0}], "authenticationRequirementPolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "b2bCollaboration", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "ufBk3X6tc0iDPJDowRKkAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "902b6b39-2d22-429b-a635-baf8d57a0cf9", "rngcStatus": 0, "managedIdentityType": "none"}} {"time": "2023-04-28T16:16:06.2351715Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "ServicePrincipalSignInLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.1.19", "correlationId": "a0ade442-cfd6-4063-89b3-1b41928810c7", "Level": 4, "location": "US", "properties": {"id": "ee5346ac-1fad-462d-b55c-6c9137bd0c00", "createdDateTime": "2023-04-28T16:16:06.2351715+00:00", "userId": null, "appId": "314aed90-58e5-4022-8cd0-2264893d8cb8", "ipAddress": "34.1.1.19", "status": {"errorCode": 0}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625, "longitude": -119.6989974975586}}, "correlationId": "a0ade442-cfd6-4063-89b3-1b41928810c7", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "isInteractive": false, "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Azure AD App Authentication Library", "value": "Family: ADAL Library: ADAL.Python 1.2.7 Platform: Python"}], "clientCredentialType": "none", "processingTimeInMilliseconds": 0, "riskDetail": "none", "riskLevelAggregated": "low", "riskLevelDuringSignIn": "low", "riskState": "none", "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "servicePrincipalName": "fonder-splunk", "servicePrincipalId": "3a84d8e7-5ff1-4d01-89c4-ee5e2e8f9a5a", "flaggedForReview": false, "isTenantRestricted": false, "crossTenantAccessType": "none", "servicePrincipalCredentialKeyId": "76d6d721-c4c0-4a83-8bbe-2e09793f7be0", "uniqueTokenIdentifier": "rEZT7q0fLUa1XGyRN70MAA", "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "managedIdentityType": "none"}}