{"CreationTime": "2024-02-07T22:31:14", "Id": "b47e890a-5bc1-4ebd-a8d5-2f4796de80d6", "Operation": "Add application.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "Application_aef7a9a6-428e-4f0f-ab09-b0f10b21bda6", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\",\"AppId\":\"e06366ca-8489-4748-b6a2-d7e4332f45c1\"}"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}], "ModifiedProperties": [{"Name": "AppId", "NewValue": "[\r\n \"e06366ca-8489-4748-b6a2-d7e4332f45c1\"\r\n]", "OldValue": "[]"}, {"Name": "AvailableToOtherTenants", "NewValue": "[\r\n false\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious11\"\r\n]", "OldValue": "[]"}, {"Name": "RequiredResourceAccess", "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "OldValue": "[]"}, {"Name": "PublisherDomain", "NewValue": "[\r\n \"splunkresearch.onmicrosoft.com\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalLockConfiguration", "NewValue": "[\r\n {\r\n \"IsEnabled\": true,\r\n \"AllProperties\": true,\r\n \"CredentialsWithUsageVerify\": true,\r\n \"CredentialsWithUsageSign\": true,\r\n \"IdentifierUris\": false,\r\n \"TokenEncryptionKeyId\": true\r\n }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess, PublisherDomain, ServicePrincipalLockConfiguration", "OldValue": ""}], "Actor": [{"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "9a0d48df-8083-4c2a-9095-5475289fb512", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "Application_aef7a9a6-428e-4f0f-ab09-b0f10b21bda6", "Type": 2}, {"ID": "aef7a9a6-428e-4f0f-ab09-b0f10b21bda6", "Type": 2}, {"ID": "Application", "Type": 2}, {"ID": "Malicious11", "Type": 1}, {"ID": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "Type": 2}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:31:14", "Id": "f624ed92-b4a2-4d42-aa8b-20a261d06b7f", "Operation": "Add service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\",\"AppId\":\"e06366ca-8489-4748-b6a2-d7e4332f45c1\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "AccountEnabled", "NewValue": "[\r\n true\r\n]", "OldValue": "[]"}, {"Name": "AppPrincipalId", "NewValue": "[\r\n \"e06366ca-8489-4748-b6a2-d7e4332f45c1\"\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious11\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalName", "NewValue": "[\r\n \"e06366ca-8489-4748-b6a2-d7e4332f45c1\"\r\n]", "OldValue": "[]"}, {"Name": "Credential", "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "OldValue": ""}], "Actor": [{"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "ea473f15-64b3-435a-a885-6ee3908919e2", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_2dedf863-ac93-4f45-87b3-e32f48145380", "Type": 2}, {"ID": "2dedf863-ac93-4f45-87b3-e32f48145380", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Malicious11", "Type": 1}, {"ID": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "Type": 2}, {"ID": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:31:08", "Id": "d4f10431-2963-4f3b-a89e-825c35cdbb90", "Operation": "Add application.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "Application_852b916a-d355-4991-82af-444a9f8e107f", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\",\"AppId\":\"6afcdaf6-7dc9-43d2-a707-4274d499e479\"}"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}], "ModifiedProperties": [{"Name": "AppId", "NewValue": "[\r\n \"6afcdaf6-7dc9-43d2-a707-4274d499e479\"\r\n]", "OldValue": "[]"}, {"Name": "AvailableToOtherTenants", "NewValue": "[\r\n false\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious10\"\r\n]", "OldValue": "[]"}, {"Name": "RequiredResourceAccess", "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "OldValue": "[]"}, {"Name": "PublisherDomain", "NewValue": "[\r\n \"splunkresearch.onmicrosoft.com\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalLockConfiguration", "NewValue": "[\r\n {\r\n \"IsEnabled\": true,\r\n \"AllProperties\": true,\r\n \"CredentialsWithUsageVerify\": true,\r\n \"CredentialsWithUsageSign\": true,\r\n \"IdentifierUris\": false,\r\n \"TokenEncryptionKeyId\": true\r\n }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess, PublisherDomain, ServicePrincipalLockConfiguration", "OldValue": ""}], "Actor": [{"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "ae72115d-6d1e-4a44-a45b-428b899feaa6", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "Application_852b916a-d355-4991-82af-444a9f8e107f", "Type": 2}, {"ID": "852b916a-d355-4991-82af-444a9f8e107f", "Type": 2}, {"ID": "Application", "Type": 2}, {"ID": "Malicious10", "Type": 1}, {"ID": "6afcdaf6-7dc9-43d2-a707-4274d499e479", "Type": 2}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:31:08", "Id": "2f4ebb0e-abe3-41e8-b97a-4e38cc7b176e", "Operation": "Add service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "6afcdaf6-7dc9-43d2-a707-4274d499e479", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\",\"AppId\":\"6afcdaf6-7dc9-43d2-a707-4274d499e479\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "AccountEnabled", "NewValue": "[\r\n true\r\n]", "OldValue": "[]"}, {"Name": "AppPrincipalId", "NewValue": "[\r\n \"6afcdaf6-7dc9-43d2-a707-4274d499e479\"\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious10\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalName", "NewValue": "[\r\n \"6afcdaf6-7dc9-43d2-a707-4274d499e479\"\r\n]", "OldValue": "[]"}, {"Name": "Credential", "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "6afcdaf6-7dc9-43d2-a707-4274d499e479", "OldValue": ""}], "Actor": [{"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "9ac984a7-4ce8-47c0-8e1b-0813d688163a", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_e1ed4567-2dcb-4f69-b9e0-b90d777e1ef7", "Type": 2}, {"ID": "e1ed4567-2dcb-4f69-b9e0-b90d777e1ef7", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Malicious10", "Type": 1}, {"ID": "6afcdaf6-7dc9-43d2-a707-4274d499e479", "Type": 2}, {"ID": "6afcdaf6-7dc9-43d2-a707-4274d499e479", "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:31:02", "Id": "c9784912-a865-4b3e-aa9c-bdbaa4d703ba", "Operation": "Add application.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "Application_8294d9f8-20c4-4323-ad9f-e2d075f2ea2e", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\",\"AppId\":\"c57490e5-d8bb-441d-a3b8-aa94b24d19cf\"}"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}], "ModifiedProperties": [{"Name": "AppId", "NewValue": "[\r\n \"c57490e5-d8bb-441d-a3b8-aa94b24d19cf\"\r\n]", "OldValue": "[]"}, {"Name": "AvailableToOtherTenants", "NewValue": "[\r\n false\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious9\"\r\n]", "OldValue": "[]"}, {"Name": "RequiredResourceAccess", "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "OldValue": "[]"}, {"Name": "PublisherDomain", "NewValue": "[\r\n \"splunkresearch.onmicrosoft.com\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalLockConfiguration", "NewValue": "[\r\n {\r\n \"IsEnabled\": true,\r\n \"AllProperties\": true,\r\n \"CredentialsWithUsageVerify\": true,\r\n \"CredentialsWithUsageSign\": true,\r\n \"IdentifierUris\": false,\r\n \"TokenEncryptionKeyId\": true\r\n }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess, PublisherDomain, ServicePrincipalLockConfiguration", "OldValue": ""}], "Actor": [{"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "ee0432fe-ffbb-49d7-822e-55ce39597c7a", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "Application_8294d9f8-20c4-4323-ad9f-e2d075f2ea2e", "Type": 2}, {"ID": "8294d9f8-20c4-4323-ad9f-e2d075f2ea2e", "Type": 2}, {"ID": "Application", "Type": 2}, {"ID": "Malicious9", "Type": 1}, {"ID": "c57490e5-d8bb-441d-a3b8-aa94b24d19cf", "Type": 2}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:31:02", "Id": "9a5de7f8-5875-45dd-9af3-8355ced8e90f", "Operation": "Add service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "c57490e5-d8bb-441d-a3b8-aa94b24d19cf", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\",\"AppId\":\"c57490e5-d8bb-441d-a3b8-aa94b24d19cf\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "AccountEnabled", "NewValue": "[\r\n true\r\n]", "OldValue": "[]"}, {"Name": "AppPrincipalId", "NewValue": "[\r\n \"c57490e5-d8bb-441d-a3b8-aa94b24d19cf\"\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious9\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalName", "NewValue": "[\r\n \"c57490e5-d8bb-441d-a3b8-aa94b24d19cf\"\r\n]", "OldValue": "[]"}, {"Name": "Credential", "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "c57490e5-d8bb-441d-a3b8-aa94b24d19cf", "OldValue": ""}], "Actor": [{"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "5e2f6daf-e67a-4df3-9b08-d5926464e4af", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_bc4581c4-d67d-4d94-99fe-d3b05d0ccddd", "Type": 2}, {"ID": "bc4581c4-d67d-4d94-99fe-d3b05d0ccddd", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Malicious9", "Type": 1}, {"ID": "c57490e5-d8bb-441d-a3b8-aa94b24d19cf", "Type": 2}, {"ID": "c57490e5-d8bb-441d-a3b8-aa94b24d19cf", "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:30:53", "Id": "322ca941-41f8-4cf4-bcc6-e3f867c3cd07", "Operation": "Add application.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "Application_93bf46cf-43ae-4d3d-ac19-5cd68310569a", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\",\"AppId\":\"0b4c428b-9287-44d4-9e60-b31e1a4c06db\"}"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}], "ModifiedProperties": [{"Name": "AppId", "NewValue": "[\r\n \"0b4c428b-9287-44d4-9e60-b31e1a4c06db\"\r\n]", "OldValue": "[]"}, {"Name": "AvailableToOtherTenants", "NewValue": "[\r\n false\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious8\"\r\n]", "OldValue": "[]"}, {"Name": "RequiredResourceAccess", "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "OldValue": "[]"}, {"Name": "PublisherDomain", "NewValue": "[\r\n \"splunkresearch.onmicrosoft.com\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalLockConfiguration", "NewValue": "[\r\n {\r\n \"IsEnabled\": true,\r\n \"AllProperties\": true,\r\n \"CredentialsWithUsageVerify\": true,\r\n \"CredentialsWithUsageSign\": true,\r\n \"IdentifierUris\": false,\r\n \"TokenEncryptionKeyId\": true\r\n }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess, PublisherDomain, ServicePrincipalLockConfiguration", "OldValue": ""}], "Actor": [{"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "3f1217e2-8426-4672-b7cf-de25e664bc39", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "Application_93bf46cf-43ae-4d3d-ac19-5cd68310569a", "Type": 2}, {"ID": "93bf46cf-43ae-4d3d-ac19-5cd68310569a", "Type": 2}, {"ID": "Application", "Type": 2}, {"ID": "Malicious8", "Type": 1}, {"ID": "0b4c428b-9287-44d4-9e60-b31e1a4c06db", "Type": 2}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:30:53", "Id": "85ffea1d-d187-471f-92ae-8b2dbdce87a2", "Operation": "Add service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "0b4c428b-9287-44d4-9e60-b31e1a4c06db", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\",\"AppId\":\"0b4c428b-9287-44d4-9e60-b31e1a4c06db\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "AccountEnabled", "NewValue": "[\r\n true\r\n]", "OldValue": "[]"}, {"Name": "AppPrincipalId", "NewValue": "[\r\n \"0b4c428b-9287-44d4-9e60-b31e1a4c06db\"\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious8\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalName", "NewValue": "[\r\n \"0b4c428b-9287-44d4-9e60-b31e1a4c06db\"\r\n]", "OldValue": "[]"}, {"Name": "Credential", "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "0b4c428b-9287-44d4-9e60-b31e1a4c06db", "OldValue": ""}], "Actor": [{"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "b22b3d3e-b39f-4f30-bc62-f2a4b6cad7c6", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_561a247c-98a8-46d0-8763-e79b8496c33f", "Type": 2}, {"ID": "561a247c-98a8-46d0-8763-e79b8496c33f", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Malicious8", "Type": 1}, {"ID": "0b4c428b-9287-44d4-9e60-b31e1a4c06db", "Type": 2}, {"ID": "0b4c428b-9287-44d4-9e60-b31e1a4c06db", "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:30:45", "Id": "f8d191b7-b66f-4d7c-ba05-bf5ab69ab8ac", "Operation": "Add service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "52b89a79-1544-497e-9d64-169452efdb7b", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\",\"AppId\":\"52b89a79-1544-497e-9d64-169452efdb7b\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "AccountEnabled", "NewValue": "[\r\n true\r\n]", "OldValue": "[]"}, {"Name": "AppPrincipalId", "NewValue": "[\r\n \"52b89a79-1544-497e-9d64-169452efdb7b\"\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious7\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalName", "NewValue": "[\r\n \"52b89a79-1544-497e-9d64-169452efdb7b\"\r\n]", "OldValue": "[]"}, {"Name": "Credential", "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "52b89a79-1544-497e-9d64-169452efdb7b", "OldValue": ""}], "Actor": [{"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "dc672842-aa67-4f21-8a81-0f333672f89e", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_77db49cc-371e-4059-9a7b-88ee841b6518", "Type": 2}, {"ID": "77db49cc-371e-4059-9a7b-88ee841b6518", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Malicious7", "Type": 1}, {"ID": "52b89a79-1544-497e-9d64-169452efdb7b", "Type": 2}, {"ID": "52b89a79-1544-497e-9d64-169452efdb7b", "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:30:44", "Id": "28bf3246-61ff-4db9-8859-0db603663062", "Operation": "Add application.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "Application_f1290977-c73a-4e0b-b7c6-c1262a4475b5", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\",\"AppId\":\"52b89a79-1544-497e-9d64-169452efdb7b\"}"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}], "ModifiedProperties": [{"Name": "AppId", "NewValue": "[\r\n \"52b89a79-1544-497e-9d64-169452efdb7b\"\r\n]", "OldValue": "[]"}, {"Name": "AvailableToOtherTenants", "NewValue": "[\r\n false\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious7\"\r\n]", "OldValue": "[]"}, {"Name": "RequiredResourceAccess", "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "OldValue": "[]"}, {"Name": "PublisherDomain", "NewValue": "[\r\n \"splunkresearch.onmicrosoft.com\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalLockConfiguration", "NewValue": "[\r\n {\r\n \"IsEnabled\": true,\r\n \"AllProperties\": true,\r\n \"CredentialsWithUsageVerify\": true,\r\n \"CredentialsWithUsageSign\": true,\r\n \"IdentifierUris\": false,\r\n \"TokenEncryptionKeyId\": true\r\n }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess, PublisherDomain, ServicePrincipalLockConfiguration", "OldValue": ""}], "Actor": [{"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "78737df2-ee1d-4fb4-96d5-a9c5aab5bfe9", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "Application_f1290977-c73a-4e0b-b7c6-c1262a4475b5", "Type": 2}, {"ID": "f1290977-c73a-4e0b-b7c6-c1262a4475b5", "Type": 2}, {"ID": "Application", "Type": 2}, {"ID": "Malicious7", "Type": 1}, {"ID": "52b89a79-1544-497e-9d64-169452efdb7b", "Type": 2}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:30:36", "Id": "8d6eab97-9c77-4002-b8db-4b140329a286", "Operation": "Add service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "4083377d-ef3f-4732-8b15-099905710508", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\",\"AppId\":\"4083377d-ef3f-4732-8b15-099905710508\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "AccountEnabled", "NewValue": "[\r\n true\r\n]", "OldValue": "[]"}, {"Name": "AppPrincipalId", "NewValue": "[\r\n \"4083377d-ef3f-4732-8b15-099905710508\"\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious6\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalName", "NewValue": "[\r\n \"4083377d-ef3f-4732-8b15-099905710508\"\r\n]", "OldValue": "[]"}, {"Name": "Credential", "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "4083377d-ef3f-4732-8b15-099905710508", "OldValue": ""}], "Actor": [{"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "286a7f47-e8e6-41aa-8860-b635a6d785c2", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_c2b13d0b-d19b-4b08-951c-5742f4b5fe32", "Type": 2}, {"ID": "c2b13d0b-d19b-4b08-951c-5742f4b5fe32", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Malicious6", "Type": 1}, {"ID": "4083377d-ef3f-4732-8b15-099905710508", "Type": 2}, {"ID": "4083377d-ef3f-4732-8b15-099905710508", "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:30:36", "Id": "7c57a0d8-c163-4783-8326-167f8650b3c6", "Operation": "Add application.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "Application_e9391c34-b130-4f05-8937-0471721787b4", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\",\"AppId\":\"4083377d-ef3f-4732-8b15-099905710508\"}"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}], "ModifiedProperties": [{"Name": "AppId", "NewValue": "[\r\n \"4083377d-ef3f-4732-8b15-099905710508\"\r\n]", "OldValue": "[]"}, {"Name": "AvailableToOtherTenants", "NewValue": "[\r\n false\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious6\"\r\n]", "OldValue": "[]"}, {"Name": "RequiredResourceAccess", "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "OldValue": "[]"}, {"Name": "PublisherDomain", "NewValue": "[\r\n \"splunkresearch.onmicrosoft.com\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalLockConfiguration", "NewValue": "[\r\n {\r\n \"IsEnabled\": true,\r\n \"AllProperties\": true,\r\n \"CredentialsWithUsageVerify\": true,\r\n \"CredentialsWithUsageSign\": true,\r\n \"IdentifierUris\": false,\r\n \"TokenEncryptionKeyId\": true\r\n }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess, PublisherDomain, ServicePrincipalLockConfiguration", "OldValue": ""}], "Actor": [{"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "d6cbbb2f-fcd7-4201-82b4-ecffc06e96a3", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "Application_e9391c34-b130-4f05-8937-0471721787b4", "Type": 2}, {"ID": "e9391c34-b130-4f05-8937-0471721787b4", "Type": 2}, {"ID": "Application", "Type": 2}, {"ID": "Malicious6", "Type": 1}, {"ID": "4083377d-ef3f-4732-8b15-099905710508", "Type": 2}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:22:14", "Id": "e7fc86f8-6f63-465d-a3f3-75404880a3ce", "Operation": "Add service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "e7c0eb54-6aca-4425-840b-4795349ba1c4", "UserId": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Darwin 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:28:58 PST 2023; root:xnu-10002.81.5~7/RELEASE_X86_64; en-US) PowerShell/7.3.4\",\"AppId\":\"e7c0eb54-6aca-4425-840b-4795349ba1c4\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "AccountEnabled", "NewValue": "[\r\n true\r\n]", "OldValue": "[]"}, {"Name": "AppPrincipalId", "NewValue": "[\r\n \"e7c0eb54-6aca-4425-840b-4795349ba1c4\"\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious5\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalName", "NewValue": "[\r\n \"e7c0eb54-6aca-4425-840b-4795349ba1c4\"\r\n]", "OldValue": "[]"}, {"Name": "Credential", "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "e7c0eb54-6aca-4425-840b-4795349ba1c4", "OldValue": ""}], "Actor": [{"ID": "LegacyTestOAuthApp", "Type": 1}, {"ID": "869dc64b-95b2-4003-8098-3ba39296ea46", "Type": 2}, {"ID": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "f4c1aa12-19bc-41dd-8b1d-a93b5a7c653e", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_53765d20-af44-4fb0-8ee4-43ad1d3dfe34", "Type": 2}, {"ID": "53765d20-af44-4fb0-8ee4-43ad1d3dfe34", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Malicious5", "Type": 1}, {"ID": "e7c0eb54-6aca-4425-840b-4795349ba1c4", "Type": 2}, {"ID": "e7c0eb54-6aca-4425-840b-4795349ba1c4", "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:22:02", "Id": "bca6e790-6ec5-4294-bbff-ed83ce0e4420", "Operation": "Add application.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "Application_2dd674ee-3a92-40bb-a250-dae30cc15390", "UserId": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Darwin 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:28:58 PST 2023; root:xnu-10002.81.5~7/RELEASE_X86_64; en-US) PowerShell/7.3.4\",\"AppId\":\"e7c0eb54-6aca-4425-840b-4795349ba1c4\"}"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}], "ModifiedProperties": [{"Name": "AppId", "NewValue": "[\r\n \"e7c0eb54-6aca-4425-840b-4795349ba1c4\"\r\n]", "OldValue": "[]"}, {"Name": "AvailableToOtherTenants", "NewValue": "[\r\n true\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious5\"\r\n]", "OldValue": "[]"}, {"Name": "PublisherDomain", "NewValue": "[\r\n \"splunkresearch.onmicrosoft.com\"\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, PublisherDomain", "OldValue": ""}], "Actor": [{"ID": "LegacyTestOAuthApp", "Type": 1}, {"ID": "869dc64b-95b2-4003-8098-3ba39296ea46", "Type": 2}, {"ID": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "da6f1896-7555-4ed5-81bc-d71c3b5ed299", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "Application_2dd674ee-3a92-40bb-a250-dae30cc15390", "Type": 2}, {"ID": "2dd674ee-3a92-40bb-a250-dae30cc15390", "Type": 2}, {"ID": "Application", "Type": 2}, {"ID": "Malicious5", "Type": 1}, {"ID": "e7c0eb54-6aca-4425-840b-4795349ba1c4", "Type": 2}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:21:59", "Id": "4bb2548e-be45-47a3-a59d-9b97f961a949", "Operation": "Add service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "193edd03-d4e0-4816-944a-e6c724d1596f", "UserId": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Darwin 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:28:58 PST 2023; root:xnu-10002.81.5~7/RELEASE_X86_64; en-US) PowerShell/7.3.4\",\"AppId\":\"193edd03-d4e0-4816-944a-e6c724d1596f\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "AccountEnabled", "NewValue": "[\r\n true\r\n]", "OldValue": "[]"}, {"Name": "AppPrincipalId", "NewValue": "[\r\n \"193edd03-d4e0-4816-944a-e6c724d1596f\"\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious4\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalName", "NewValue": "[\r\n \"193edd03-d4e0-4816-944a-e6c724d1596f\"\r\n]", "OldValue": "[]"}, {"Name": "Credential", "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "193edd03-d4e0-4816-944a-e6c724d1596f", "OldValue": ""}], "Actor": [{"ID": "LegacyTestOAuthApp", "Type": 1}, {"ID": "869dc64b-95b2-4003-8098-3ba39296ea46", "Type": 2}, {"ID": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "c0372589-7f44-4786-9ca1-60ad50265594", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_86fe3d75-c33a-44f2-a053-a9f39ad6ed95", "Type": 2}, {"ID": "86fe3d75-c33a-44f2-a053-a9f39ad6ed95", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Malicious4", "Type": 1}, {"ID": "193edd03-d4e0-4816-944a-e6c724d1596f", "Type": 2}, {"ID": "193edd03-d4e0-4816-944a-e6c724d1596f", "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:21:46", "Id": "88496a1d-bef7-44bc-85b3-f5c248c58296", "Operation": "Add application.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "Application_6107408f-a973-4d59-90af-3fd4e36be1e9", "UserId": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Darwin 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:28:58 PST 2023; root:xnu-10002.81.5~7/RELEASE_X86_64; en-US) PowerShell/7.3.4\",\"AppId\":\"193edd03-d4e0-4816-944a-e6c724d1596f\"}"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}], "ModifiedProperties": [{"Name": "AppId", "NewValue": "[\r\n \"193edd03-d4e0-4816-944a-e6c724d1596f\"\r\n]", "OldValue": "[]"}, {"Name": "AvailableToOtherTenants", "NewValue": "[\r\n true\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious4\"\r\n]", "OldValue": "[]"}, {"Name": "PublisherDomain", "NewValue": "[\r\n \"splunkresearch.onmicrosoft.com\"\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, PublisherDomain", "OldValue": ""}], "Actor": [{"ID": "LegacyTestOAuthApp", "Type": 1}, {"ID": "869dc64b-95b2-4003-8098-3ba39296ea46", "Type": 2}, {"ID": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "7bd6ce67-a36c-464f-ae51-de9ab37fa7db", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "Application_6107408f-a973-4d59-90af-3fd4e36be1e9", "Type": 2}, {"ID": "6107408f-a973-4d59-90af-3fd4e36be1e9", "Type": 2}, {"ID": "Application", "Type": 2}, {"ID": "Malicious4", "Type": 1}, {"ID": "193edd03-d4e0-4816-944a-e6c724d1596f", "Type": 2}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:21:38", "Id": "d99c7e7a-e6d3-4a65-8edb-ead66fa358d1", "Operation": "Add service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "37f64457-ee20-4177-89b7-68f19faec8f4", "UserId": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Darwin 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:28:58 PST 2023; root:xnu-10002.81.5~7/RELEASE_X86_64; en-US) PowerShell/7.3.4\",\"AppId\":\"37f64457-ee20-4177-89b7-68f19faec8f4\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "AccountEnabled", "NewValue": "[\r\n true\r\n]", "OldValue": "[]"}, {"Name": "AppPrincipalId", "NewValue": "[\r\n \"37f64457-ee20-4177-89b7-68f19faec8f4\"\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious3\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalName", "NewValue": "[\r\n \"37f64457-ee20-4177-89b7-68f19faec8f4\"\r\n]", "OldValue": "[]"}, {"Name": "Credential", "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "37f64457-ee20-4177-89b7-68f19faec8f4", "OldValue": ""}], "Actor": [{"ID": "LegacyTestOAuthApp", "Type": 1}, {"ID": "869dc64b-95b2-4003-8098-3ba39296ea46", "Type": 2}, {"ID": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "6ee1ee94-344d-454d-ba00-6683e1d94384", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_e1ee614c-ad7c-49a4-8c81-8a0c3054d6e8", "Type": 2}, {"ID": "e1ee614c-ad7c-49a4-8c81-8a0c3054d6e8", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Malicious3", "Type": 1}, {"ID": "37f64457-ee20-4177-89b7-68f19faec8f4", "Type": 2}, {"ID": "37f64457-ee20-4177-89b7-68f19faec8f4", "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:21:19", "Id": "32ae1b92-94ab-4854-bfa4-3954d24ae896", "Operation": "Add application.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "Application_d4172d8c-16e2-460f-b966-512e77bad7eb", "UserId": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Darwin 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:28:58 PST 2023; root:xnu-10002.81.5~7/RELEASE_X86_64; en-US) PowerShell/7.3.4\",\"AppId\":\"37f64457-ee20-4177-89b7-68f19faec8f4\"}"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}], "ModifiedProperties": [{"Name": "AppId", "NewValue": "[\r\n \"37f64457-ee20-4177-89b7-68f19faec8f4\"\r\n]", "OldValue": "[]"}, {"Name": "AvailableToOtherTenants", "NewValue": "[\r\n true\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious3\"\r\n]", "OldValue": "[]"}, {"Name": "PublisherDomain", "NewValue": "[\r\n \"splunkresearch.onmicrosoft.com\"\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, PublisherDomain", "OldValue": ""}], "Actor": [{"ID": "LegacyTestOAuthApp", "Type": 1}, {"ID": "869dc64b-95b2-4003-8098-3ba39296ea46", "Type": 2}, {"ID": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "385b2ac2-9939-4cd7-9030-858afe0c7dfb", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "Application_d4172d8c-16e2-460f-b966-512e77bad7eb", "Type": 2}, {"ID": "d4172d8c-16e2-460f-b966-512e77bad7eb", "Type": 2}, {"ID": "Application", "Type": 2}, {"ID": "Malicious3", "Type": 1}, {"ID": "37f64457-ee20-4177-89b7-68f19faec8f4", "Type": 2}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:21:10", "Id": "4a3a9c8d-f7d0-47c1-8b73-6380cc106c7d", "Operation": "Add service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "227bf72b-bde4-4afb-bde0-9c645aa51078", "UserId": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Darwin 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:28:58 PST 2023; root:xnu-10002.81.5~7/RELEASE_X86_64; en-US) PowerShell/7.3.4\",\"AppId\":\"227bf72b-bde4-4afb-bde0-9c645aa51078\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "AccountEnabled", "NewValue": "[\r\n true\r\n]", "OldValue": "[]"}, {"Name": "AppPrincipalId", "NewValue": "[\r\n \"227bf72b-bde4-4afb-bde0-9c645aa51078\"\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious2\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalName", "NewValue": "[\r\n \"227bf72b-bde4-4afb-bde0-9c645aa51078\"\r\n]", "OldValue": "[]"}, {"Name": "Credential", "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "227bf72b-bde4-4afb-bde0-9c645aa51078", "OldValue": ""}], "Actor": [{"ID": "LegacyTestOAuthApp", "Type": 1}, {"ID": "869dc64b-95b2-4003-8098-3ba39296ea46", "Type": 2}, {"ID": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "f4fcb6d8-b5c5-4b61-bffd-9022fa3ab9aa", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_b2a5223d-a478-42f6-abde-e292b489e283", "Type": 2}, {"ID": "b2a5223d-a478-42f6-abde-e292b489e283", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Malicious2", "Type": 1}, {"ID": "227bf72b-bde4-4afb-bde0-9c645aa51078", "Type": 2}, {"ID": "227bf72b-bde4-4afb-bde0-9c645aa51078", "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:20:57", "Id": "b6449779-2de1-41e1-aa80-239dd76d4f62", "Operation": "Add application.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "Application_85fc7de2-4a2e-4076-bf76-8a915e73828f", "UserId": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Darwin 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:28:58 PST 2023; root:xnu-10002.81.5~7/RELEASE_X86_64; en-US) PowerShell/7.3.4\",\"AppId\":\"227bf72b-bde4-4afb-bde0-9c645aa51078\"}"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}], "ModifiedProperties": [{"Name": "AppId", "NewValue": "[\r\n \"227bf72b-bde4-4afb-bde0-9c645aa51078\"\r\n]", "OldValue": "[]"}, {"Name": "AvailableToOtherTenants", "NewValue": "[\r\n true\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious2\"\r\n]", "OldValue": "[]"}, {"Name": "PublisherDomain", "NewValue": "[\r\n \"splunkresearch.onmicrosoft.com\"\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, PublisherDomain", "OldValue": ""}], "Actor": [{"ID": "LegacyTestOAuthApp", "Type": 1}, {"ID": "869dc64b-95b2-4003-8098-3ba39296ea46", "Type": 2}, {"ID": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "e911197f-7427-46a4-b39c-5259bc0b2256", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "Application_85fc7de2-4a2e-4076-bf76-8a915e73828f", "Type": 2}, {"ID": "85fc7de2-4a2e-4076-bf76-8a915e73828f", "Type": 2}, {"ID": "Application", "Type": 2}, {"ID": "Malicious2", "Type": 1}, {"ID": "227bf72b-bde4-4afb-bde0-9c645aa51078", "Type": 2}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:20:49", "Id": "2b7953ee-1b64-46c2-a1b0-023806884a6d", "Operation": "Add service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "1095fe98-be87-4ab7-9a63-e44bda4d23f5", "UserId": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Darwin 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:28:58 PST 2023; root:xnu-10002.81.5~7/RELEASE_X86_64; en-US) PowerShell/7.3.4\",\"AppId\":\"1095fe98-be87-4ab7-9a63-e44bda4d23f5\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "AccountEnabled", "NewValue": "[\r\n true\r\n]", "OldValue": "[]"}, {"Name": "AppPrincipalId", "NewValue": "[\r\n \"1095fe98-be87-4ab7-9a63-e44bda4d23f5\"\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious1\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalName", "NewValue": "[\r\n \"1095fe98-be87-4ab7-9a63-e44bda4d23f5\"\r\n]", "OldValue": "[]"}, {"Name": "Credential", "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "1095fe98-be87-4ab7-9a63-e44bda4d23f5", "OldValue": ""}], "Actor": [{"ID": "LegacyTestOAuthApp", "Type": 1}, {"ID": "869dc64b-95b2-4003-8098-3ba39296ea46", "Type": 2}, {"ID": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "4718d68e-a814-41f4-b0be-cc16179af594", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_d82b3445-45f8-4668-b750-13f3a7d85a53", "Type": 2}, {"ID": "d82b3445-45f8-4668-b750-13f3a7d85a53", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Malicious1", "Type": 1}, {"ID": "1095fe98-be87-4ab7-9a63-e44bda4d23f5", "Type": 2}, {"ID": "1095fe98-be87-4ab7-9a63-e44bda4d23f5", "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"} {"CreationTime": "2024-02-07T22:20:05", "Id": "12ef7dda-ea1d-476f-a880-8484e9efccce", "Operation": "Add application.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "Application_befab195-6290-4048-9096-b2d551509f3f", "UserId": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Darwin 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:28:58 PST 2023; root:xnu-10002.81.5~7/RELEASE_X86_64; en-US) PowerShell/7.3.4\",\"AppId\":\"1095fe98-be87-4ab7-9a63-e44bda4d23f5\"}"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}], "ModifiedProperties": [{"Name": "AppId", "NewValue": "[\r\n \"1095fe98-be87-4ab7-9a63-e44bda4d23f5\"\r\n]", "OldValue": "[]"}, {"Name": "AvailableToOtherTenants", "NewValue": "[\r\n true\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n \"Malicious1\"\r\n]", "OldValue": "[]"}, {"Name": "PublisherDomain", "NewValue": "[\r\n \"splunkresearch.onmicrosoft.com\"\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, PublisherDomain", "OldValue": ""}], "Actor": [{"ID": "LegacyTestOAuthApp", "Type": 1}, {"ID": "869dc64b-95b2-4003-8098-3ba39296ea46", "Type": 2}, {"ID": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "69b8bd42-1918-4bd3-944e-7ea45fc2ccba", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "Application_befab195-6290-4048-9096-b2d551509f3f", "Type": 2}, {"ID": "befab195-6290-4048-9096-b2d551509f3f", "Type": 2}, {"ID": "Application", "Type": 2}, {"ID": "Malicious1", "Type": 1}, {"ID": "1095fe98-be87-4ab7-9a63-e44bda4d23f5", "Type": 2}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"}