{"id": "38aa73b1-5d21-439d-b613-9a45cfe5ac00", "createdDateTime": "2024-02-08T21:45:04Z", "userDisplayName": "user30 Edwards", "userPrincipalName": "user30@splunkresearch.onmicrosoft.com", "userId": "e4c722ac-3b83-478d-8f52-c388885dc30f", "appId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appDisplayName": "Azure Portal", "ipAddress": "120.1.121.43", "clientAppUsed": "Browser", "correlationId": "e920e381-49e2-4482-a808-18fdfbaf8610", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Service Management API", "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "status": {"errorCode": 0, "failureReason": "Other.", "additionalDetails": null}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 121.0.0", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "Ohio", "state": "Ohio", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": 65.75948, "longitude": -48.989869999999996}}, "appliedConditionalAccessPolicies": []}
{"CreationTime": "2024-02-08T21:49:53", "Id": "a6bee61d-8b3f-42e1-b4fa-778fb05c43ac", "Operation": "Add app role assignment to service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "https://outlook.office.com;Microsoft.Exchange;00000002-0000-0ff1-ce00-000000000000;00000002-0000-0ff1-ce00-000000000000/*.outlook.com;00000002-0000-0ff1-ce00-000000000000/outlook.com;00000002-0000-0ff1-ce00-000000000000/mail.office365.com;00000002-0000-0ff1-ce00-000000000000/outlook.office365.com;https://webmail.apps.mil/;https://ps.protection.outlook.com/;https://outlook-dod.office365.us/;https://outlook.com/;https://outlook.office365.com/;https://outlook.office.com/;https://outlook.office365.com:443/;https://outlook-sdf.office365.com/;https://outlook-sdf.office.com/;https://outlook.office365.us/;https://autodiscover-s.office365.us/;https://ps.compliance.protection.outlook.com;https://manage.protection.apps.mil;https://outlook-tdf.office.com/;https://outlook-tdf-2.office.com/;https://ps.outlook.com", "UserId": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Darwin 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:28:58 PST 2023; root:xnu-10002.81.5~7/RELEASE_X86_64; en-US) PowerShell/7.3.4\",\"AppId\":\"00000002-0000-0ff1-ce00-000000000000\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "AppRole.Id", "NewValue": "dc890d15-9560-4a4c-9b7f-a736ec74ec40", "OldValue": ""}, {"Name": "AppRole.Value", "NewValue": "full_access_as_app", "OldValue": ""}, {"Name": "AppRole.DisplayName", "NewValue": "Use Exchange Web Services with full access to all mailboxes", "OldValue": ""}, {"Name": "AppRoleAssignment.CreatedDateTime", "NewValue": "2/8/2024 9:49:53 PM", "OldValue": ""}, {"Name": "AppRoleAssignment.LastModifiedDateTime", "NewValue": "2/8/2024 9:49:53 PM", "OldValue": ""}, {"Name": "ServicePrincipal.ObjectID", "NewValue": "2e5c2fd0-cca4-452c-9891-a07c0dafd964", "OldValue": ""}, {"Name": "ServicePrincipal.DisplayName", "NewValue": "STRT_Oauth", "OldValue": ""}, {"Name": "ServicePrincipal.AppId", "NewValue": "5f91ce94-4cc5-4ebe-aeb6-f074e57201bb", "OldValue": ""}, {"Name": "ServicePrincipal.Name", "NewValue": "5f91ce94-4cc5-4ebe-aeb6-f074e57201bb", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "https://outlook.office.com;Microsoft.Exchange;00000002-0000-0ff1-ce00-000000000000;00000002-0000-0ff1-ce00-000000000000/*.outlook.com;00000002-0000-0ff1-ce00-000000000000/outlook.com;00000002-0000-0ff1-ce00-000000000000/mail.office365.com;00000002-0000-0ff1-ce00-000000000000/outlook.office365.com;https://webmail.apps.mil/;https://ps.protection.outlook.com/;https://outlook-dod.office365.us/;https://outlook.com/;https://outlook.office365.com/;https://outlook.office.com/;https://outlook.office365.com:443/;https://outlook-sdf.office365.com/;https://outlook-sdf.office.com/;https://outlook.office365.us/;https://autodiscover-s.office365.us/;https://ps.compliance.protection.outlook.com;https://manage.protection.apps.mil;https://outlook-tdf.office.com/;https://outlook-tdf-2.office.com/;https://ps.outlook.com", "OldValue": ""}], "Actor": [{"ID": "LegacyTestOAuthApp", "Type": 1}, {"ID": "869dc64b-95b2-4003-8098-3ba39296ea46", "Type": 2}, {"ID": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "ed53faec-49b5-444f-b6af-b928558ca433", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_8429eb5c-faeb-4ade-8eac-acc003790769", "Type": 2}, {"ID": "8429eb5c-faeb-4ade-8eac-acc003790769", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Office 365 Exchange Online", "Type": 1}, {"ID": "00000002-0000-0ff1-ce00-000000000000", "Type": 2}, {"ID": "https://outlook.office.com;Microsoft.Exchange;00000002-0000-0ff1-ce00-000000000000;00000002-0000-0ff1-ce00-000000000000/*.outlook.com;00000002-0000-0ff1-ce00-000000000000/outlook.com;00000002-0000-0ff1-ce00-000000000000/mail.office365.com;00000002-0000-0ff1-ce00-000000000000/outlook.office365.com;https://webmail.apps.mil/;https://ps.protection.outlook.com/;https://outlook-dod.office365.us/;https://outlook.com/;https://outlook.office365.com/;https://outlook.office.com/;https://outlook.office365.com:443/;https://outlook-sdf.office365.com/;https://outlook-sdf.office.com/;https://outlook.office365.us/;https://autodiscover-s.office365.us/;https://ps.compliance.protection.outlook.com;https://manage.protection.apps.mil;https://outlook-tdf.office.com/;https://outlook-tdf-2.office.com/;https://ps.outlook.com", "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"}
{"CreationTime": "2024-02-08T21:45:53", "Id": "1b1c4d79-2b3a-4f7b-9947-04cc5abbbfc4", "Operation": "Remove app role assignment from service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "https://outlook.office.com;Microsoft.Exchange;00000002-0000-0ff1-ce00-000000000000;00000002-0000-0ff1-ce00-000000000000/*.outlook.com;00000002-0000-0ff1-ce00-000000000000/outlook.com;00000002-0000-0ff1-ce00-000000000000/mail.office365.com;00000002-0000-0ff1-ce00-000000000000/outlook.office365.com;https://webmail.apps.mil/;https://ps.protection.outlook.com/;https://outlook-dod.office365.us/;https://outlook.com/;https://outlook.office365.com/;https://outlook.office.com/;https://outlook.office365.com:443/;https://outlook-sdf.office365.com/;https://outlook-sdf.office.com/;https://outlook.office365.us/;https://autodiscover-s.office365.us/;https://ps.compliance.protection.outlook.com;https://manage.protection.apps.mil;https://outlook-tdf.office.com/;https://outlook-tdf-2.office.com/;https://ps.outlook.com", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\",\"AppId\":\"00000002-0000-0ff1-ce00-000000000000\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "AppRole.Id", "NewValue": "", "OldValue": "dc890d15-9560-4a4c-9b7f-a736ec74ec40"}, {"Name": "AppRole.Value", "NewValue": "", "OldValue": ""}, {"Name": "AppRole.DisplayName", "NewValue": "", "OldValue": ""}, {"Name": "AppRoleAssignment.CreatedDateTime", "NewValue": "", "OldValue": "2/8/2024 9:40:19 PM"}, {"Name": "AppRoleAssignment.LastModifiedDateTime", "NewValue": "", "OldValue": "2/8/2024 9:40:19 PM"}, {"Name": "ServicePrincipal.ObjectID", "NewValue": "", "OldValue": "2e5c2fd0-cca4-452c-9891-a07c0dafd964"}, {"Name": "ServicePrincipal.DisplayName", "NewValue": "", "OldValue": "STRT_Oauth"}, {"Name": "ServicePrincipal.AppId", "NewValue": "5f91ce94-4cc5-4ebe-aeb6-f074e57201bb", "OldValue": ""}, {"Name": "ServicePrincipal.Name", "NewValue": "5f91ce94-4cc5-4ebe-aeb6-f074e57201bb", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "https://outlook.office.com;Microsoft.Exchange;00000002-0000-0ff1-ce00-000000000000;00000002-0000-0ff1-ce00-000000000000/*.outlook.com;00000002-0000-0ff1-ce00-000000000000/outlook.com;00000002-0000-0ff1-ce00-000000000000/mail.office365.com;00000002-0000-0ff1-ce00-000000000000/outlook.office365.com;https://webmail.apps.mil/;https://ps.protection.outlook.com/;https://outlook-dod.office365.us/;https://outlook.com/;https://outlook.office365.com/;https://outlook.office.com/;https://outlook.office365.com:443/;https://outlook-sdf.office365.com/;https://outlook-sdf.office.com/;https://outlook.office365.us/;https://autodiscover-s.office365.us/;https://ps.compliance.protection.outlook.com;https://manage.protection.apps.mil;https://outlook-tdf.office.com/;https://outlook-tdf-2.office.com/;https://ps.outlook.com", "OldValue": ""}], "Actor": [{"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "4bb4393b-41c8-477a-8e78-e51760ed6748", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_8429eb5c-faeb-4ade-8eac-acc003790769", "Type": 2}, {"ID": "8429eb5c-faeb-4ade-8eac-acc003790769", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Office 365 Exchange Online", "Type": 1}, {"ID": "00000002-0000-0ff1-ce00-000000000000", "Type": 2}, {"ID": "https://outlook.office.com;Microsoft.Exchange;00000002-0000-0ff1-ce00-000000000000;00000002-0000-0ff1-ce00-000000000000/*.outlook.com;00000002-0000-0ff1-ce00-000000000000/outlook.com;00000002-0000-0ff1-ce00-000000000000/mail.office365.com;00000002-0000-0ff1-ce00-000000000000/outlook.office365.com;https://webmail.apps.mil/;https://ps.protection.outlook.com/;https://outlook-dod.office365.us/;https://outlook.com/;https://outlook.office365.com/;https://outlook.office.com/;https://outlook.office365.com:443/;https://outlook-sdf.office365.com/;https://outlook-sdf.office.com/;https://outlook.office365.us/;https://autodiscover-s.office365.us/;https://ps.compliance.protection.outlook.com;https://manage.protection.apps.mil;https://outlook-tdf.office.com/;https://outlook-tdf-2.office.com/;https://ps.outlook.com", "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"}
{"id": "14b97906-8ef1-48c4-986d-6e778b45b000", "createdDateTime": "2024-02-08T21:38:16Z", "userDisplayName": "user30 Edwards", "userPrincipalName": "user30@splunkresearch.onmicrosoft.com", "userId": "e4c722ac-3b83-478d-8f52-c388885dc30f", "appId": "f6e73133-98cb-4b03-83f1-d313f671afd8", "appDisplayName": "jmainville-soar-cloud-ews4o365-azure-auth", "ipAddress": "3.19.222.116", "clientAppUsed": "Browser", "correlationId": "343df597-5f2d-4d99-8c5e-590c28878392", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Online", "resourceId": "00000002-0000-0ff1-ce00-000000000000", "status": {"errorCode": 0, "failureReason": "Other.", "additionalDetails": null}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "", "browser": "Python Requests 2.25", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "Columbus", "state": "Ohio", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": 64.99557999999999, "longitude": -57.99946}}, "appliedConditionalAccessPolicies": []}
{"CreationTime": "2024-02-08T21:45:04", "Id": "38aa73b1-5d21-439d-b613-9a45cfe5ac00", "Operation": "UserLoggedIn", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 15, "ResultStatus": "Success", "UserKey": "e4c722ac-3b83-478d-8f52-c388885dc30f", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "120.1.121.43", "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}], "ModifiedProperties": [], "Actor": [{"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 0}, {"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "ActorIpAddress": "120.1.121.43", "InterSystemsId": "e920e381-49e2-4482-a808-18fdfbaf8610", "IntraSystemId": "38aa73b1-5d21-439d-b613-9a45cfe5ac00", "SupportTicketId": "", "Target": [{"ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "Type": 0}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "DeviceProperties": [{"Name": "OS", "Value": "MacOs"}, {"Name": "BrowserType", "Value": "Chrome"}, {"Name": "SessionId", "Value": "d50085e2-cc05-43b6-95fe-17fc5efed33f"}], "ErrorNumber": "0"}