{"CreationTime": "2024-01-30T15:24:59", "Id": "d2aaeb3c-f063-42f8-b597-a2e72ed14e1a", "Operation": "Update service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "867f0d29-0eab-4017-b691-c4713cc7d7b0", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\",\"AppId\":\"867f0d29-0eab-4017-b691-c4713cc7d7b0\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "Included Updated Properties", "NewValue": "", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "867f0d29-0eab-4017-b691-c4713cc7d7b0", "OldValue": ""}], "Actor": [{"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "5e800cf4-1869-4a9c-81c1-55ffa81d7ec1", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_225cb41b-4a49-47de-9423-d3112bd0bc2d", "Type": 2}, {"ID": "225cb41b-4a49-47de-9423-d3112bd0bc2d", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "MaliciousApp", "Type": 1}, {"ID": "867f0d29-0eab-4017-b691-c4713cc7d7b0", "Type": 2}, {"ID": "867f0d29-0eab-4017-b691-c4713cc7d7b0", "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"}
{"CreationTime": "2024-01-30T15:24:59", "Id": "7c93e761-608c-4ef2-9bde-049f680d3b45", "Operation": "Update application.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "Application_75924835-d844-4947-96ba-18074e997386", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\",\"AppId\":\"867f0d29-0eab-4017-b691-c4713cc7d7b0\"}"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}], "ModifiedProperties": [{"Name": "RequiredResourceAccess", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000002-0000-0ff1-ce00-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"dc890d15-9560-4a4c-9b7f-a736ec74ec40\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"570282fd-fa5c-430d-a7fd-fc8dc98a9dca\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      },\r\n      {\r\n        \"EntitlementId\": \"7427e0e9-2fba-42fe-b0c0-848c9e6a8182\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      },\r\n      {\r\n        \"EntitlementId\": \"1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"06b708a9-e830-4db3-a914-8e69da51d44f\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"810c84a8-4a9e-49e6-bf7d-12d183f40d01\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000002-0000-0ff1-ce00-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"dc890d15-9560-4a4c-9b7f-a736ec74ec40\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"570282fd-fa5c-430d-a7fd-fc8dc98a9dca\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      },\r\n      {\r\n        \"EntitlementId\": \"7427e0e9-2fba-42fe-b0c0-848c9e6a8182\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      },\r\n      {\r\n        \"EntitlementId\": \"810c84a8-4a9e-49e6-bf7d-12d183f40d01\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "NewValue": "RequiredResourceAccess", "OldValue": ""}], "Actor": [{"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "5e800cf4-1869-4a9c-81c1-55ffa81d7ec1", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "Application_75924835-d844-4947-96ba-18074e997386", "Type": 2}, {"ID": "75924835-d844-4947-96ba-18074e997386", "Type": 2}, {"ID": "Application", "Type": 2}, {"ID": "MaliciousApp", "Type": 1}, {"ID": "867f0d29-0eab-4017-b691-c4713cc7d7b0", "Type": 2}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"}
{"CreationTime": "2024-01-30T15:23:45", "Id": "3b29c486-e21a-46db-8012-6f7b46b55d00", "Operation": "UserLoggedIn", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 15, "ResultStatus": "Success", "UserKey": "e4c722ac-3b83-478d-8f52-c388885dc30f", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "120.1.121.35", "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}], "ModifiedProperties": [], "Actor": [{"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 0}, {"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "ActorIpAddress": "120.1.121.35", "InterSystemsId": "45c9b6e3-1503-4b26-9a3a-f87a1d900c35", "IntraSystemId": "3b29c486-e21a-46db-8012-6f7b46b55d00", "SupportTicketId": "", "Target": [{"ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "Type": 0}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "DeviceProperties": [{"Name": "OS", "Value": "MacOs"}, {"Name": "BrowserType", "Value": "Chrome"}, {"Name": "SessionId", "Value": "d50085e2-cc05-43b6-95fe-17fc5efed33f"}], "ErrorNumber": "0"}
{"CreationTime": "2024-01-30T15:23:45", "Id": "dd6f7e3a-b582-40a3-bc3a-25b91cad6700", "Operation": "UserLoggedIn", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 15, "ResultStatus": "Success", "UserKey": "e4c722ac-3b83-478d-8f52-c388885dc30f", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "120.1.121.35", "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}], "ModifiedProperties": [], "Actor": [{"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 0}, {"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "ActorIpAddress": "120.1.121.35", "InterSystemsId": "e920e381-49e2-4482-a808-18fdfbaf8610", "IntraSystemId": "dd6f7e3a-b582-40a3-bc3a-25b91cad6700", "SupportTicketId": "", "Target": [{"ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "Type": 0}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "DeviceProperties": [{"Name": "OS", "Value": "MacOs"}, {"Name": "BrowserType", "Value": "Chrome"}, {"Name": "SessionId", "Value": "d50085e2-cc05-43b6-95fe-17fc5efed33f"}], "ErrorNumber": "0"}
{"CreationTime": "2024-01-30T15:23:40", "Id": "ba90a985-068a-401f-b6ee-cf134f1a5900", "Operation": "UserLoggedIn", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 15, "ResultStatus": "Success", "UserKey": "e4c722ac-3b83-478d-8f52-c388885dc30f", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "120.1.121.35", "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}], "ModifiedProperties": [], "Actor": [{"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 0}, {"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "ActorIpAddress": "120.1.121.35", "InterSystemsId": "45c9b6e3-1503-4b26-9a3a-f87a1d900c35", "IntraSystemId": "ba90a985-068a-401f-b6ee-cf134f1a5900", "SupportTicketId": "", "Target": [{"ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "Type": 0}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "DeviceProperties": [{"Name": "OS", "Value": "MacOs"}, {"Name": "BrowserType", "Value": "Chrome"}, {"Name": "SessionId", "Value": "d50085e2-cc05-43b6-95fe-17fc5efed33f"}], "ErrorNumber": "0"}
{"Id": "e8af118d-46fc-4286-8145-3ebd6b8c8c1e", "RecordType": 210, "CreationTime": "2024-01-30T15:21:27", "Operation": "MDCAssessments", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "UserType": 4, "UserKey": "System", "UserId": "System", "Workload": "CompliancePostureManagement", "UserSharedWith": "", "PropertyBag": [{"DataType": "NeedsAggregation", "AssessmentStatusPerInitiative": [{"SecurityAssessmentId": "c476dc48-8110-4139-91af-c8d940896b98", "SubscriptionId": "4c357906-2c22-4d91-98aa-180d9a85a370", "SubscriptionName": "", "EventType": "Microsoft.Security/assessments/Write", "ArnEventId": "b41cf4ea-97d4-4d15-a9b3-a80d082dacfd", "ResourceType": "microsoft.compute/virtualmachines", "CustomerResourceId": "/subscriptions/4c357906-2c22-4d91-98aa-180d9a85a370/resourcegroups/pluginframework/providers/microsoft.compute/virtualmachines/phantom-identity", "ResourceName": "phantom-identity", "StatusCode": "Unhealthy", "StatusChangeDate": "2024-01-30T15:21:07", "StatusFirstEvaluationDate": "2023-03-13T15:20:26", "PolicyInitiativeId": "1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "PolicyInitiativeName": "ASC Default", "CloudProvider": "Azure"}]}]}