{"Actor": [{"ID": "victim@attack_range.lan", "Type": 5}, {"ID": "100300009FBEAAAA", "Type": 3}, {"ID": "Microsoft B2B Admin Worker", "Type": 1}, {"ID": "1e2ca66a-c176-45ea-a877-e87f7231e0ee", "Type": 2}, {"ID": "User_42f229de-3fea-423d-b3aa-23034e486c40", "Type": 2}, {"ID": "42f229de-3fea-423d-b3aa-23034e486c40", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "ActorIpAddress": "52.252.209.205", "AzureActiveDirectoryEventType": 1, "ClientIP": "52.252.209.205", "CreationTime": "2024-03-20T16:38:17", "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Microsoft Azure Graph Client Library 1.0\"}"}, {"Name": "extendedAuditEventCategory", "Value": "User"}], "Id": "86da0fd3-df67-4d91-b151-d371eca7bd3e", "InterSystemsId": "fb44cdfe-a07f-4a8e-aebf-90c5799bfed9", "IntraSystemId": "1916c159-1ad1-44d6-935a-3ee83cafdb4e", "ModifiedProperties": [{"Name": "AccountEnabled", "NewValue": "[\r\n  true\r\n]", "OldValue": "[]"}, {"Name": "CreationType", "NewValue": "[\r\n  \"Invitation\"\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n  \"attacker\"\r\n]", "OldValue": "[]"}, {"Name": "InviteTicket", "NewValue": "[\r\n  {\r\n    \"Type\": 1,\r\n    \"Ticket\": \"c53f6130-9c7b-4670-ba45-a20f4e7001f3\"\r\n  }\r\n]", "OldValue": "[]"}, {"Name": "MailNickname", "NewValue": "[\r\n  \"attacker_bad_guy.lol#EXT#\"\r\n]", "OldValue": "[]"}, {"Name": "OtherMail", "NewValue": "[\r\n  \"attacker@bad_guy.lol\"\r\n]", "OldValue": "[]"}, {"Name": "ProxyAddresses", "NewValue": "[\r\n  \"SMTP:attacker@bad_guy.lol\"\r\n]", "OldValue": "[]"}, {"Name": "StsRefreshTokensValidFrom", "NewValue": "[\r\n  \"2024-03-20T16:38:17Z\"\r\n]", "OldValue": "[]"}, {"Name": "UserPrincipalName", "NewValue": "[\r\n  \"attacker_bad_guy.lol#EXT#@attack_range.onmicrosoft.com\"\r\n]", "OldValue": "[]"}, {"Name": "UserState", "NewValue": "[\r\n  \"PendingAcceptance\"\r\n]", "OldValue": "[]"}, {"Name": "UserStateChangedOn", "NewValue": "[\r\n  \"2024-03-20T16:38:17Z\"\r\n]", "OldValue": "[]"}, {"Name": "UserType", "NewValue": "[\r\n  \"Guest\"\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AccountEnabled, CreationType, DisplayName, InviteTicket, MailNickname, OtherMail, ProxyAddresses, StsRefreshTokensValidFrom, UserPrincipalName, UserState, UserStateChangedOn, UserType", "OldValue": ""}, {"Name": "ActorId.ServicePrincipalNames", "NewValue": "https://msb2badminworker.usgovcloudapp.net/;https://msb2badminworker.cloudapp.net/;1e2ca66a-c176-45ea-a877-e87f7231e0ee", "OldValue": ""}, {"Name": "SPN", "NewValue": "https://msb2badminworker.usgovcloudapp.net/;https://msb2badminworker.cloudapp.net/;1e2ca66a-c176-45ea-a877-e87f7231e0ee", "OldValue": ""}], "ObjectId": "attacker_bad_guy.lol#EXT#@attack_range.onmicrosoft.com", "Operation": "Add user.", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID": "User_001b519f-c2e6-4c5e-946f-85b0bcbeb2fd", "Type": 2}, {"ID": "001b519f-c2e6-4c5e-946f-85b0bcbeb2fd", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "attacker_bad_guy.lol#EXT#@attack_range.onmicrosoft.com", "Type": 5}, {"ID": "10032003656161CE", "Type": 3}], "TargetContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "UserId": "victim@attack_range.lan", "UserKey": "100300009FBEAAAA@attack_range.lan", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}
{"Actor": [{"ID": "attacker@attack_range.lan", "Type": 5}, {"ID": "100300008E18906A", "Type": 3}, {"ID": "74658136-14ec-4630-ad9b-26e160ff0fc6", "Type": 2}, {"ID": "User_4f63f2f4-73b0-429d-a0be-beab2e0f7e3e", "Type": 2}, {"ID": "4f63f2f4-73b0-429d-a0be-beab2e0f7e3e", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "AzureActiveDirectoryEventType": 1, "CreationTime": "2024-02-09T15:05:18", "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory", "Value": "Policy"}], "Id": "64621fdf-1b1c-4e0b-a195-c34595fd79de", "InterSystemsId": "b608c212-2de4-4a09-98e7-91349bbdad5d", "IntraSystemId": "608658ee-8a46-45a9-b8c3-1a100b26301f", "ModifiedProperties": [{"Name": "PolicyDetail", "NewValue": "[\r\n  \"{\\\"B2BManagementPolicy\\\":{\\\"InvitationsAllowedAndBlockedDomainsPolicy\\\":{\\\"AllowedDomains\\\":[\\\"knowngoodomain.com\\\",\\\"anothergooddomain.com\\\",\\\"bad_guy.lol\\\"]},\\\"AutoRedeemPolicy\\\":{\\\"AdminConsentedForUsersIntoTenantIds\\\":[{\\\"TenantId\\\":\\\"6915b1e0-b081-4829-8866-f1a3e883a9af\\\",\\\"Name\\\":\\\"attack_range2.onmicrosoft.com\\\"}],\\\"NoAADConsentForUsersFromTenantsIds\\\":[{\\\"TenantId\\\":\\\"6915b1e0-b081-4829-8866-f1a3e883a9af\\\",\\\"Name\\\":\\\"attack_range2.onmicrosoft.com\\\"}]}}}\"\r\n]", "OldValue": "[\r\n  \"{\\\"B2BManagementPolicy\\\":{\\\"InvitationsAllowedAndBlockedDomainsPolicy\\\":{\\\"AllowedDomains\\\":[\\\"knowngoodomain.com\\\",\\\"anothergooddomain.com\\\"]},\\\"AutoRedeemPolicy\\\":{\\\"AdminConsentedForUsersIntoTenantIds\\\":[{\\\"TenantId\\\":\\\"6915b1e0-b081-4829-8866-f1a3e883a9af\\\",\\\"Name\\\":\\\"attack_range2.onmicrosoft.com\\\"}],\\\"NoAADConsentForUsersFromTenantsIds\\\":[{\\\"TenantId\\\":\\\"6915b1e0-b081-4829-8866-f1a3e883a9af\\\",\\\"Name\\\":\\\"attack_range2.onmicrosoft.com\\\"}]}}}\"\r\n]"}, {"Name": "Included Updated Properties", "NewValue": "PolicyDetail", "OldValue": ""}], "ObjectId": "Policy_a485bd05-0993-45ea-a3af-d0be687fb2f8", "Operation": "Update policy.", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID": "Policy_a485bd05-0993-45ea-a3af-d0be687fb2f8", "Type": 2}, {"ID": "a485bd05-0993-45ea-a3af-d0be687fb2f8", "Type": 2}, {"ID": "Policy", "Type": 2}, {"ID": "B2BManagementPolicy", "Type": 1}], "TargetContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "UserId": "attacker@attack_range.lan", "UserKey": "100300008E18906A@attack_range.lan", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}
{"Actor": [{"ID": "Malicious Service Principal", "Type": 1}, {"ID": "b39d63e7-7fa3-4b2b-94ea-ee256fdb8c2f", "Type": 2}, {"ID": "ServicePrincipal_ff45cda2-75e3-4be8-84b7-f5720d42b5b0", "Type": 2}, {"ID": "ff45cda2-75e3-4be8-84b7-f5720d42b5b0", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}], "ActorContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "ActorIpAddress": "52.224.85.250", "AzureActiveDirectoryEventType": 1, "ClientIP": "52.224.85.250", "CreationTime": "2024-03-20T07:51:02", "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory", "Value": "CrossTenantAccessSettings"}], "Id": "4923abb2-609c-411e-a685-0c4f0c53ecfb", "InterSystemsId": "f76baa3e-1207-41fb-b5df-631ceccb9b2e", "IntraSystemId": "b5ea04c4-e89f-45d6-ad54-9d8ba882e701", "ModifiedProperties": [{"Name": "tenantId", "NewValue": "141e07d1-6f28-4169-b951-316d5a941d88", "OldValue": ""}], "ObjectId": "Policy_17c7001d-3a4d-4bf7-9cc6-ee0e40f665da", "Operation": "Add a partner to cross-tenant access setting.", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID": "Policy_17c7001d-3a4d-4bf7-9cc6-ee0e40f665da", "Type": 2}, {"ID": "17c7001d-3a4d-4bf7-9cc6-ee0e40f665da", "Type": 2}, {"ID": "Policy", "Type": 2}, {"ID": "CrossTenantAccessPolicy for 6915b1e0-b081-4829-8866-f1a3e883a9ae", "Type": 1}], "TargetContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "UserId": "ServicePrincipal_ff45cda2-75e3-4be8-84b7-f5720d42b5b0", "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory"}
{"Actor": [{"ID": "attacker@attack_range.lan", "Type": 5}, {"ID": "10037FFEAA5FB8A0", "Type": 3}, {"ID": "User_91ec8a8a-88b4-4159-9a36-acdf37ef17b2", "Type": 2}, {"ID": "91ec8a8a-88b4-4159-9a36-acdf37ef17b2", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "AzureActiveDirectoryEventType": 1, "CreationTime": "2024-02-22T21:04:59", "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory", "Value": "CrossTenantAccessSettings"}], "Id": "eeef67a0-85f7-44c5-9bf9-fee42541db36", "InterSystemsId": "d660e456-16db-486b-9598-f8e74f69b1f0", "IntraSystemId": "21da5ea8-7ed3-462b-a203-486b26c2d4dd", "ModifiedProperties": [{"Name": "tenantId", "NewValue": "341dac3b-34e1-4b06-a4df-5c0259946074", "OldValue": ""}], "ObjectId": "Policy_17c7001d-3a4d-4bf7-9cc6-ee0e40f665da", "Operation": "Add a partner to cross-tenant access setting.", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID": "Policy_17c7001d-3a4d-4bf7-9cc6-ee0e40f665da", "Type": 2}, {"ID": "17c7001d-3a4d-4bf7-9cc6-ee0e40f665da", "Type": 2}, {"ID": "Policy", "Type": 2}, {"ID": "CrossTenantAccessPolicy for 6915b1e0-b081-4829-8866-f1a3e883a9ae", "Type": 1}], "TargetContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "UserId": "attacker@attack_range.lan", "UserKey": "10037FFEAA5FB8A0@attack_range.lan", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}
{"Actor": [{"ID": "attacker@attack_range.lan", "Type": 5}, {"ID": "10037FFEAA5FB8A0", "Type": 3}, {"ID": "User_91ec8a8a-88b4-4159-9a36-acdf37ef17b2", "Type": 2}, {"ID": "91ec8a8a-88b4-4159-9a36-acdf37ef17b2", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "AzureActiveDirectoryEventType": 1, "CreationTime": "2024-02-22T21:09:46", "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory", "Value": "CrossTenantAccessSettings"}], "Id": "e9881eef-97df-4fda-aa53-bf3aaf35f7aa", "InterSystemsId": "abb242e5-b3e2-4d8d-9d26-4d74f494f888", "IntraSystemId": "a5fedd23-0e60-4326-bfda-1cd5909ba68f", "ModifiedProperties": [{"Name": "tenantId", "NewValue": "341dac3b-34e1-4b06-a4df-5c0259946074", "OldValue": "341dac3b-34e1-4b06-a4df-5c0259946074"}], "ObjectId": "Policy_17c7001d-3a4d-4bf7-9cc6-ee0e40f665da", "Operation": "Delete partner specific cross-tenant access setting.", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID": "Policy_17c7001d-3a4d-4bf7-9cc6-ee0e40f665da", "Type": 2}, {"ID": "17c7001d-3a4d-4bf7-9cc6-ee0e40f665da", "Type": 2}, {"ID": "Policy", "Type": 2}, {"ID": "CrossTenantAccessPolicy for 6915b1e0-b081-4829-8866-f1a3e883a9ae", "Type": 1}], "TargetContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "UserId": "attacker@attack_range.lan", "UserKey": "10037FFEAA5FB8A0@attack_range.lan", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}
{"Actor": [{"ID": "attacker@attack_range.lan", "Type": 5}, {"ID": "10033FFFA43A9AC3", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_96b41157-00a8-46d0-866b-3d9589a334e5", "Type": 2}, {"ID": "96b41157-00a8-46d0-866b-3d9589a334e5", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "ActorIpAddress": "", "AzureActiveDirectoryEventType": 1, "ClientIP": "", "CreationTime": "2024-04-10T12:55:08", "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.140\",\"AppId\":\"751becbb-0093-4c37-8bda-8c23f57b9162\"}"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}], "Id": "1a23a115-7169-4f94-baa2-b84248dc4134", "InterSystemsId": "7ee8f29e-3eb6-49a7-9d0d-3b0bc19cc5d7", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "ModifiedProperties": [{"Name": "AvailableToOtherTenants", "NewValue": "[\r\n  true\r\n]", "OldValue": "[\r\n  false\r\n]"}, {"Name": "Included Updated Properties", "NewValue": "AvailableToOtherTenants", "OldValue": ""}], "ObjectId": "Application_e22aecc9-58ce-4509-a597-67f81c1bbb76", "Operation": "Update application.", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID": "Application_e22aecc9-58ce-4509-a597-67f81c1bbb76", "Type": 2}, {"ID": "e22aecc9-58ce-4509-a597-67f81c1bbb76", "Type": 2}, {"ID": "Application", "Type": 2}, {"ID": "Malicious_APP1", "Type": 1}, {"ID": "751becbb-0093-4c37-8bda-8c23f57b9162", "Type": 2}], "TargetContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "UserId": "attacker@attack_range.lan", "UserKey": "10033FFFA43A9AC3@attack_range.lan", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}
{"Actor": [{"ID": "attacker@attack_range.lan", "Type": 5}, {"ID": "10033FFFA43A9AC3", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_96b41157-00a8-46d0-866b-3d9589a334e5", "Type": 2}, {"ID": "96b41157-00a8-46d0-866b-3d9589a334e5", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "ActorIpAddress": "", "AzureActiveDirectoryEventType": 1, "ClientIP": "", "CreationTime": "2024-04-10T12:57:04", "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.140\",\"AppId\":\"7b8e46c8-948b-494e-b09a-867eba8fc49a\"}"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}], "Id": "5ce365a9-b849-46b5-ab32-8493319f1875", "InterSystemsId": "5cae7c6e-4c04-409d-b833-2524e96a8d09", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "ModifiedProperties": [{"Name": "AppId", "NewValue": "[\r\n  \"7b8e46c8-948b-494e-b09a-867eba8fc49a\"\r\n]", "OldValue": "[]"}, {"Name": "AvailableToOtherTenants", "NewValue": "[\r\n  true\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n  \"Malicious_APP2_Multitenant\"\r\n]", "OldValue": "[]"}, {"Name": "RequiredResourceAccess", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "OldValue": "[]"}, {"Name": "PublisherDomain", "NewValue": "[\r\n  \"attack_range.onmicrosoft.com\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalLockConfiguration", "NewValue": "[\r\n  {\r\n    \"IsEnabled\": true,\r\n    \"AllProperties\": true,\r\n    \"CredentialsWithUsageVerify\": true,\r\n    \"CredentialsWithUsageSign\": true,\r\n    \"IdentifierUris\": false,\r\n    \"TokenEncryptionKeyId\": true\r\n  }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess, PublisherDomain, ServicePrincipalLockConfiguration", "OldValue": ""}], "ObjectId": "Application_0af33861-11b1-4d70-acbc-cd981b145a9d", "Operation": "Add application.", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID": "Application_0af33861-11b1-4d70-acbc-cd981b145a9d", "Type": 2}, {"ID": "0af33861-11b1-4d70-acbc-cd981b145a9d", "Type": 2}, {"ID": "Application", "Type": 2}, {"ID": "Tes_API_APP2_Multitenant", "Type": 1}, {"ID": "7b8e46c8-948b-494e-b09a-867eba8fc49a", "Type": 2}], "TargetContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "UserId": "attacker@attack_range.lan", "UserKey": "10033FFFA43A9AC3@attack_range.lan", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}
{"Actor": [{"ID": "attacker@attack_range.lan", "Type": 5}, {"ID": "10033FFFA43A9AC3", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_96b41157-00a8-46d0-866b-3d9589a334e5", "Type": 2}, {"ID": "96b41157-00a8-46d0-866b-3d9589a334e5", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "ActorIpAddress": "", "AzureActiveDirectoryEventType": 1, "ClientIP": "", "CreationTime": "2024-04-10T12:57:58", "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.140\",\"AppId\":\"bf63b14d-21c6-49d8-aa8a-a0c7763461a0\"}"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}], "Id": "31c155cd-b1dd-4f29-ae24-f6a554e95269", "InterSystemsId": "bd25754d-461c-4320-8101-e82962aabd39", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "ModifiedProperties": [{"Name": "AppId", "NewValue": "[\r\n  \"bf63b14d-21c6-49d8-aa8a-a0c7763461a0\"\r\n]", "OldValue": "[]"}, {"Name": "AvailableToOtherTenants", "NewValue": "[\r\n  true\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n  \"Malicious_APP3_Multitenant_and_Personal\"\r\n]", "OldValue": "[]"}, {"Name": "RequiredResourceAccess", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "OldValue": "[]"}, {"Name": "PublisherDomain", "NewValue": "[\r\n  \"attack_range.onmicrosoft.com\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalLockConfiguration", "NewValue": "[\r\n  {\r\n    \"IsEnabled\": true,\r\n    \"AllProperties\": true,\r\n    \"CredentialsWithUsageVerify\": true,\r\n    \"CredentialsWithUsageSign\": true,\r\n    \"IdentifierUris\": false,\r\n    \"TokenEncryptionKeyId\": true\r\n  }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess, PublisherDomain, ServicePrincipalLockConfiguration", "OldValue": ""}], "ObjectId": "Application_0754b614-41c2-4ff0-8150-d9e337944b62", "Operation": "Add application.", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID": "Application_0754b614-41c2-4ff0-8150-d9e337944b62", "Type": 2}, {"ID": "0754b614-41c2-4ff0-8150-d9e337944b62", "Type": 2}, {"ID": "Application", "Type": 2}, {"ID": "Test_API_APP3_Multitenant_and_Personal", "Type": 1}, {"ID": "bf63b14d-21c6-49d8-aa8a-a0c7763461a0", "Type": 2}], "TargetContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "UserId": "attacker@attack_range.lan", "UserKey": "10033FFFA43A9AC3@attack_range.lan", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}
{"Actor": [{"ID": "MS-PIM", "Type": 1}, {"ID": "01fc33a7-78ba-4d2f-a4b7-768e336e890e", "Type": 2}, {"ID": "ServicePrincipal_34d49b97-725f-480d-8971-89b92df5ca70", "Type": 2}, {"ID": "34d49b97-725f-480d-8971-89b92df5ca70", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}], "ActorContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "ActorIpAddress": "172.170.254.43", "AzureActiveDirectoryEventType": 1, "ClientIP": "172.170.254.43", "CreationTime": "2024-03-21T13:08:48", "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory", "Value": "Role"}], "Id": "0bc79ad5-7c63-44ab-9495-f9e08d315e8e", "InterSystemsId": "636a211d-7b24-448c-b618-04975c7fb2e4", "IntraSystemId": "3921fc01-d201-471f-baf4-a0becf9257c7", "ModifiedProperties": [{"Name": "Role.ObjectID", "NewValue": "dc6acb7b-951e-489c-92d5-5b4686ad47d2", "OldValue": ""}, {"Name": "Role.DisplayName", "NewValue": "Privileged Role Administrator", "OldValue": ""}, {"Name": "Role.TemplateId", "NewValue": "e8611ab8-c189-46e8-94e1-60213ab1f814", "OldValue": ""}, {"Name": "Role.WellKnownObjectName", "NewValue": "PrivilegedRoleAdmins", "OldValue": ""}], "ObjectId": "attacker@attack_range.lan", "Operation": "Add member to role.", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID": "User_3921fc01-d201-471f-baf4-a0becf9257c7", "Type": 2}, {"ID": "3921fc01-d201-471f-baf4-a0becf9257c7", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "attacker_persistence@attack_range", "Type": 5}, {"ID": "10032001C7E04175", "Type": 3}], "TargetContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "UserId": "ServicePrincipal_34d49b97-725f-480d-8971-89b92df5ca70", "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory"}
{"Actor": [{"ID": "attacker@attack_range.onmicrosoft.com", "Type": 5}, {"ID": "10032002124AE785", "Type": 3}, {"ID": "Microsoft Office 365 Portal", "Type": 1}, {"ID": "00000006-0000-0ff1-ce00-000000000000", "Type": 2}, {"ID": "User_ce8d9c55-f8cc-4cb0-8cba-b21173745ecd", "Type": 2}, {"ID": "ce8d9c55-f8cc-4cb0-8cba-b21173745ecd", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "AzureActiveDirectoryEventType": 1, "CreationTime": "2023-08-09T13:51:32", "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory", "Value": "Role"}], "Id": "dfadcd97-bf28-4dac-a473-4217f029f22e", "InterSystemsId": "1eaf3b14-cbb3-498d-8e25-c028c30d7d12", "IntraSystemId": "ad5b21e5-f43f-4c69-8a8e-046655608839", "ModifiedProperties": [{"Name": "Role.ObjectID", "NewValue": "89fe0879-5824-43f1-a8a8-ef0f79c98a40", "OldValue": ""}, {"Name": "Role.DisplayName", "NewValue": "User Account Administrator", "OldValue": ""}, {"Name": "Role.TemplateId", "NewValue": "fe930be7-5e62-47db-91af-98c3a49a38b1", "OldValue": ""}, {"Name": "Role.WellKnownObjectName", "NewValue": "UserAccountAdmins", "OldValue": ""}], "ObjectId": "attacker_persistence@attack_range.lan", "Operation": "Add member to role.", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID": "User_d6bc0361-c95e-43b0-bbc4-4b85f5fd636f", "Type": 2}, {"ID": "d6bc0361-c95e-43b0-bbc4-4b85f5fd636f", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "attacker_persistence@attack_range.lan", "Type": 5}, {"ID": "10032001F74F536F", "Type": 3}], "TargetContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "UserId": "attacker@attack_range.onmicrosoft.com", "UserKey": "10032002124AE785@attack_range.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}
{"Actor": [{"ID": "attacker@attack_range.onmicrosoft.com", "Type": 5}, {"ID": "10032002124AE785", "Type": 3}, {"ID": "Microsoft Office 365 Portal", "Type": 1}, {"ID": "00000006-0000-0ff1-ce00-000000000000", "Type": 2}, {"ID": "User_ce8d9c55-f8cc-4cb0-8cba-b21173745ecd", "Type": 2}, {"ID": "ce8d9c55-f8cc-4cb0-8cba-b21173745ecd", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "AzureActiveDirectoryEventType": 1, "CreationTime": "2024-03-20T14:20:13", "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory", "Value": "Role"}], "Id": "8bf4560f-8f73-4341-9f60-f52e1e0bfebd", "InterSystemsId": "4480ca61-144c-4506-8fa4-5712a6313e3c", "IntraSystemId": "3fba33a1-1397-400c-b085-79a5a1a7f476", "ModifiedProperties": [{"Name": "Role.ObjectID", "NewValue": "e2bdc40b-be3f-4670-a7d2-6f32f2abcf94", "OldValue": ""}, {"Name": "Role.DisplayName", "NewValue": "Helpdesk Administrator", "OldValue": ""}, {"Name": "Role.TemplateId", "NewValue": "729827e3-9c14-49f7-bb1b-9608f156bbb8", "OldValue": ""}, {"Name": "Role.WellKnownObjectName", "NewValue": "HelpdeskAdmins", "OldValue": ""}], "ObjectId": "ServicePrincipal_f7f88c31-2e3f-4708-9791-b193d8001a25", "Operation": "Add member to role.", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_f7f88c31-2e3f-4708-9791-b193d8001a25", "Type": 2}, {"ID": "f7f88c31-2e3f-4708-9791-b193d8001a25", "Type": 2}, {"ID": "Other", "Type": 2}], "TargetContextId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "UserId": "attacker@attack_range.onmicrosoft.com", "UserKey": "10032002124AE785@attack_range.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}