{"CreationTime": "2023-10-20T16:50:46", "Id": "30a8b107-b190-406c-9b80-c3f5c3a29129", "Operation": "Add member to role.", "OrganizationId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "lowpriv@splunkresearch.onmicrosoft.com", "UserId": "attacker@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory", "Value": "Role"}], "ModifiedProperties": [{"Name": "Role.ObjectID", "NewValue": "0ee19da2-ee3d-4743-ae53-8cb79599c384", "OldValue": ""}, {"Name": "Role.DisplayName", "NewValue": "Company Administrator", "OldValue": ""}, {"Name": "Role.TemplateId", "NewValue": "62e90394-69f5-4237-9190-012177145e10", "OldValue": ""}, {"Name": "Role.WellKnownObjectName", "NewValue": "TenantAdmins", "OldValue": ""}], "Actor": [{"ID": "attacker@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "Microsoft Office 365 Portal", "Type": 1}, {"ID": "00000006-0000-0ff1-ce00-000000000000", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5", "InterSystemsId": "6a6b4dfe-8b77-49db-9999-510115d1f3dd", "IntraSystemId": "c36bfbae-b287-415b-bc14-ab5c3a9248d7", "SupportTicketId": "", "Target": [{"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "lowpriv@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9", "Type": 3}], "TargetContextId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5"} {"CreationTime": "2023-10-20T16:10:35", "Id": "36235836-efeb-4fde-a7c0-52c3a937a65a", "Operation": "Add member to role.", "OrganizationId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "lowpriv@splunkresearch.onmicrosoft.com", "UserId": "attacker@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory", "Value": "Role"}], "ModifiedProperties": [{"Name": "Role.ObjectID", "NewValue": "3eb95074-ce4f-4360-a1e9-b5e09bf01e1c", "OldValue": ""}, {"Name": "Role.DisplayName", "NewValue": "Skype for Business Administrator", "OldValue": ""}, {"Name": "Role.TemplateId", "NewValue": "75941009-915a-4869-abe7-691bff18279e", "OldValue": ""}, {"Name": "Role.WellKnownObjectName", "NewValue": "LyncServiceAdmins", "OldValue": ""}], "Actor": [{"ID": "attacker@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "Microsoft Office 365 Portal", "Type": 1}, {"ID": "00000006-0000-0ff1-ce00-000000000000", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5", "InterSystemsId": "ab065e7e-8aef-408f-93eb-58af2fecd53b", "IntraSystemId": "160a3364-9e59-4f66-9a68-86bec57fd1ea", "SupportTicketId": "", "Target": [{"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "lowpriv@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9", "Type": 3}], "TargetContextId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5"} {"CreationTime": "2023-10-20T16:10:16", "Id": "aa11bce3-121e-4183-b624-0db904076fe2", "Operation": "Add member to role.", "OrganizationId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "lowpriv@splunkresearch.onmicrosoft.com", "UserId": "attacker@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory", "Value": "Role"}], "ModifiedProperties": [{"Name": "Role.ObjectID", "NewValue": "696eb450-f6ad-4786-9237-3539eb1b458c", "OldValue": ""}, {"Name": "Role.DisplayName", "NewValue": "SharePoint Service Administrator", "OldValue": ""}, {"Name": "Role.TemplateId", "NewValue": "f28a1f50-f6e7-4571-818b-6a12f2af6b6c", "OldValue": ""}, {"Name": "Role.WellKnownObjectName", "NewValue": "SharePointServiceAdmins", "OldValue": ""}], "Actor": [{"ID": "attacker@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "Microsoft Office 365 Portal", "Type": 1}, {"ID": "00000006-0000-0ff1-ce00-000000000000", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5", "InterSystemsId": "ba486cf3-0745-4818-9cbe-a54da6430855", "IntraSystemId": "4b71323d-f088-4302-8bff-1b414c41d499", "SupportTicketId": "", "Target": [{"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "lowpriv@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9", "Type": 3}], "TargetContextId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5"} {"CreationTime": "2023-10-20T16:09:58", "Id": "da312ba5-42db-47a3-a96f-3be5385e0643", "Operation": "Add member to role.", "OrganizationId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "lowpriv@splunkresearch.onmicrosoft.com", "UserId": "attacker@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory", "Value": "Role"}], "ModifiedProperties": [{"Name": "Role.ObjectID", "NewValue": "09f0edb1-99b1-488e-8830-9e02e8712d74", "OldValue": ""}, {"Name": "Role.DisplayName", "NewValue": "Exchange Service Administrator", "OldValue": ""}, {"Name": "Role.TemplateId", "NewValue": "29232cdf-9323-42fd-ade2-1d097af3e4de", "OldValue": ""}, {"Name": "Role.WellKnownObjectName", "NewValue": "ExchangeServiceAdmins", "OldValue": ""}], "Actor": [{"ID": "attacker@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "Microsoft Office 365 Portal", "Type": 1}, {"ID": "00000006-0000-0ff1-ce00-000000000000", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5", "InterSystemsId": "a446716e-e89d-472b-a159-94b32a8e1ecf", "IntraSystemId": "06fbc397-e3b2-4aa5-9d66-43cd9c23b33b", "SupportTicketId": "", "Target": [{"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "lowpriv@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9", "Type": 3}], "TargetContextId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5"}