{"CreationTime": "2023-10-20T19:32:59", "Id": "d06df1c6-b3f2-4595-90b9-99b8f91811c3", "Operation": "Update user.", "OrganizationId": "99825d50-9544-4061-8e46-68923805cbf2", "RecordType": 8, "ResultStatus": "Success", "UserKey": "10032002CC029AE9@splunkresearch1.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "victim@splunkresearch1.onmicrosoft.com", "UserId": "victim@splunkresearch1.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"UserType\":\"Member\"}"}, {"Name": "extendedAuditEventCategory", "Value": "User"}], "ModifiedProperties": [{"Name": "StrongAuthenticationMethod", "NewValue": "[\r\n  {\r\n    \"MethodType\": 7,\r\n    \"Default\": false\r\n  },\r\n  {\r\n    \"MethodType\": 6,\r\n    \"Default\": true\r\n  },\r\n  {\r\n    \"MethodType\": 0,\r\n    \"Default\": false\r\n  },\r\n  {\r\n    \"MethodType\": 5,\r\n    \"Default\": false\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"MethodType\": 6,\r\n    \"Default\": true\r\n  },\r\n  {\r\n    \"MethodType\": 7,\r\n    \"Default\": false\r\n  }\r\n]"}, {"Name": "StrongAuthenticationRequirement", "NewValue": "[\r\n  {\r\n    \"RelyingParty\": \"*\",\r\n    \"State\": 0,\r\n    \"RememberDevicesNotIssuedBefore\": \"2023-10-19T16:11:43+00:00\"\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"RelyingParty\": \"*\",\r\n    \"State\": 1,\r\n    \"RememberDevicesNotIssuedBefore\": \"2023-10-19T16:11:43+00:00\"\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "NewValue": "StrongAuthenticationMethod, StrongAuthenticationRequirement", "OldValue": ""}, {"Name": "TargetId.UserType", "NewValue": "Member", "OldValue": ""}], "Actor": [{"ID": "victim@splunkresearch1.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9", "Type": 3}, {"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "99825d50-9544-4061-8e46-68923805cbf2", "InterSystemsId": "533a45c6-4f9a-4527-ad8d-e8fec5c7d8e4", "IntraSystemId": "32734207-053e-4ad1-87a3-4da1dfa69c58", "SupportTicketId": "", "Target": [{"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "victim@splunkresearch1.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9", "Type": 3}], "TargetContextId": "99825d50-9544-4061-8e46-68923805cbf2"}
{"CreationTime": "2023-10-20T19:32:58", "Id": "c0cb9494-9ceb-48e4-809d-390037b99c5e", "Operation": "Update user.", "OrganizationId": "99825d50-9544-4061-8e46-68923805cbf2", "RecordType": 8, "ResultStatus": "Success", "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "victim@splunkresearch1.onmicrosoft.com", "UserId": "ServicePrincipal_36d3537c-8bd8-4aef-8088-699ece69e2c6", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"UserType\":\"Member\",\"User-Agent\":\"Microsoft ADO.NET Data Services\"}"}, {"Name": "extendedAuditEventCategory", "Value": "User"}], "ModifiedProperties": [{"Name": "Included Updated Properties", "NewValue": "", "OldValue": ""}, {"Name": "TargetId.UserType", "NewValue": "Member", "OldValue": ""}], "Actor": [{"ID": "Microsoft App Access Panel", "Type": 1}, {"ID": "0000000c-0000-0000-c000-000000000000", "Type": 2}, {"ID": "ServicePrincipal_36d3537c-8bd8-4aef-8088-699ece69e2c6", "Type": 2}, {"ID": "36d3537c-8bd8-4aef-8088-699ece69e2c6", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}], "ActorContextId": "99825d50-9544-4061-8e46-68923805cbf2", "InterSystemsId": "f2de6df9-5f77-419e-8662-251a1b9abe13", "IntraSystemId": "32734207-053e-4ad1-87a3-4da1dfa69c58", "SupportTicketId": "", "Target": [{"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "victim@splunkresearch1.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9", "Type": 3}], "TargetContextId": "99825d50-9544-4061-8e46-68923805cbf2"}
{"CreationTime": "2023-10-20T19:32:57", "Id": "5daa3888-51ee-40b0-a5d6-42c9cad1c00d", "Operation": "Update user.", "OrganizationId": "99825d50-9544-4061-8e46-68923805cbf2", "RecordType": 8, "ResultStatus": "Success", "UserKey": "10032002CC029AE9@splunkresearch1.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "victim@splunkresearch1.onmicrosoft.com", "UserId": "victim@splunkresearch1.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"UserType\":\"Member\"}"}, {"Name": "extendedAuditEventCategory", "Value": "User"}], "ModifiedProperties": [{"Name": "StrongAuthenticationUserDetails", "NewValue": "[\r\n  {\r\n    \"PhoneNumber\": \"+1 5041237654\",\r\n    \"AlternativePhoneNumber\": null,\r\n    \"Email\": null,\r\n    \"VoiceOnlyPhoneNumber\": null\r\n  }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "StrongAuthenticationUserDetails", "OldValue": ""}, {"Name": "TargetId.UserType", "NewValue": "Member", "OldValue": ""}], "Actor": [{"ID": "victim@splunkresearch1.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9", "Type": 3}, {"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "99825d50-9544-4061-8e46-68923805cbf2", "InterSystemsId": "f0d90ae2-6d98-4d29-b335-6334a54fa56f", "IntraSystemId": "32734207-053e-4ad1-87a3-4da1dfa69c58", "SupportTicketId": "", "Target": [{"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "victim@splunkresearch1.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9", "Type": 3}], "TargetContextId": "99825d50-9544-4061-8e46-68923805cbf2"}
{"CreationTime": "2023-10-20T19:31:04", "Id": "28255a24-2e22-45d2-8e80-58318b5e5420", "Operation": "Update user.", "OrganizationId": "99825d50-9544-4061-8e46-68923805cbf2", "RecordType": 8, "ResultStatus": "Success", "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "victim@splunkresearch1.onmicrosoft.com", "UserId": "ServicePrincipal_e80590c4-87c0-491b-829b-11d2e23ea384", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"UserType\":\"Member\"}"}, {"Name": "extendedAuditEventCategory", "Value": "User"}], "ModifiedProperties": [{"Name": "StrongAuthenticationPhoneAppDetail", "NewValue": "[\r\n  {\r\n    \"DeviceName\": \"iphon 12 Pro\",\r\n    \"DeviceToken\": \"apns2-315bda511c965fa511e658a9b5afe1481667ae0b694ee14f9ef6d6bb3ad51432\",\r\n    \"DeviceTag\": \"SoftwareTokenActivated\",\r\n    \"PhoneAppVersion\": \"6.7.15\",\r\n    \"OathTokenTimeDrift\": 0,\r\n    \"DeviceId\": \"00000000-0000-0000-0000-000000000000\",\r\n    \"Id\": \"6a53b3ef-9cdd-432f-b194-6fc3668280b3\",\r\n    \"TimeInterval\": 0,\r\n    \"AuthenticationType\": 3,\r\n    \"NotificationType\": 2,\r\n    \"LastAuthenticatedTimestamp\": \"2023-10-20T19:31:03.9429835Z\",\r\n    \"AuthenticatorFlavor\": null,\r\n    \"HashFunction\": null,\r\n    \"TenantDeviceId\": null,\r\n    \"SecuredPartitionId\": 0,\r\n    \"SecuredKeyId\": 0\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"DeviceName\": \"iphon 12 Pro\",\r\n    \"DeviceToken\": \"apns2-315bda511c965fa511e658a9b5afe1481667ae0b694ee14f9ef6d6bb3ad51432\",\r\n    \"DeviceTag\": \"SoftwareTokenActivated\",\r\n    \"PhoneAppVersion\": \"6.7.15\",\r\n    \"OathTokenTimeDrift\": -1,\r\n    \"DeviceId\": \"00000000-0000-0000-0000-000000000000\",\r\n    \"Id\": \"6a53b3ef-9cdd-432f-b194-6fc3668280b3\",\r\n    \"TimeInterval\": 0,\r\n    \"AuthenticationType\": 3,\r\n    \"NotificationType\": 2,\r\n    \"LastAuthenticatedTimestamp\": \"2023-10-19T16:04:25.2399988Z\",\r\n    \"AuthenticatorFlavor\": null,\r\n    \"HashFunction\": null,\r\n    \"TenantDeviceId\": null,\r\n    \"SecuredPartitionId\": 0,\r\n    \"SecuredKeyId\": 0\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "NewValue": "StrongAuthenticationPhoneAppDetail", "OldValue": ""}, {"Name": "TargetId.UserType", "NewValue": "Member", "OldValue": ""}], "Actor": [{"ID": "Azure MFA StrongAuthenticationService", "Type": 1}, {"ID": "b5a60e17-278b-4c92-a4e2-b9262e66bb28", "Type": 2}, {"ID": "ServicePrincipal_e80590c4-87c0-491b-829b-11d2e23ea384", "Type": 2}, {"ID": "e80590c4-87c0-491b-829b-11d2e23ea384", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}], "ActorContextId": "99825d50-9544-4061-8e46-68923805cbf2", "InterSystemsId": "79237fbb-b2ea-44d2-a33e-3123968008a4", "IntraSystemId": "b20ea8dc-96ed-4f58-970b-9a49d29f5450", "SupportTicketId": "", "Target": [{"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "victim@splunkresearch1.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9", "Type": 3}], "TargetContextId": "99825d50-9544-4061-8e46-68923805cbf2"}