{"time": "2023-10-27T19:05:44.7048245Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultType": "65001", "resultSignature": "None", "resultDescription": "Application X doesn't have permission to access application Y or the permission has been revoked. Or The user or administrator has not consented to use the application with ID X. Send an interactive authorization request for this user and resource. Or The user or administrator has not consented to use the application with ID X. Send an authorization request to your tenant admin to act on behalf of the App : Y for Resource : Z.", "durationMs": 0, "callerIpAddress": "120.1.121.35", "correlationId": "5fe8ef18-f4a1-4b26-92a3-20bbf636261c", "identity": "user15", "Level": 4, "location": "US", "properties": {"id": "87e6b858-0c76-47bf-8b21-590560401d00", "createdDateTime": "2023-10-27T19:03:01.2599799+00:00", "userDisplayName": "user15", "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "96f6a3d6-d5aa-4af5-a77a-9319b5283712", "appDisplayName": "Bad App 1", "ipAddress": "120.1.121.35", "status": {"errorCode": 65001, "failureReason": "Application X doesn't have permission to access application Y or the permission has been revoked. Or The user or administrator has not consented to use the application with ID X. Send an interactive authorization request for this user and resource. Or The user or administrator has not consented to use the application with ID X. Send an authorization request to your tenant admin to act on behalf of the App : Y for Resource : Z.", "additionalDetails": "MFA completed in Azure AD"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 118.0.0"}, "location": {"city": "Ohio", "state": "Ohio", "countryOrRegion": "US", "geoCoordinates": {"latitude": 20.756160736083984, "longitude": -23.99697875976562}}, "mfaDetail": {"authMethod": "Mobile app notification"}, "correlationId": "5fe8ef18-f4a1-4b26-92a3-20bbf636261c", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "87e6b858-0c76-47bf-8b21-590560401d00", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 819, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "homeTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "authenticationDetails": [{"authenticationStepDateTime": "2023-10-27T19:03:01.2599799+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 0}, {"authenticationStepDateTime": "2023-10-27T19:02:51+00:00", "authenticationMethod": "Mobile app notification", "succeeded": false, "authenticationStepResultDetail": "Authentication in progress", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 1698433370272}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "sessionLifetimePolicies": [], "authenticationRequirement": "multiFactorAuthentication", "alternateSignInName": "user15@splunkresearch.onmicrosoft.com", "signInIdentifier": "user15@splunkresearch.onmicrosoft.com", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "WLjmh3YMv0eLIVkFYEAdAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "56ad242f-e13b-47fc-8de8-19e3bf6f6575", "rngcStatus": 0, "signInTokenProtectionStatus": "none", "originalTransferMethod": "none"}} {"time": "2023-10-27T19:05:39.2938133Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "120.1.121.35", "correlationId": "5fe8ef18-f4a1-4b26-92a3-20bbf636261c", "identity": "user15", "Level": 4, "location": "US", "properties": {"id": "7541d4e0-2550-493e-9d69-0f3134202000", "createdDateTime": "2023-10-27T19:03:15.2758141+00:00", "userDisplayName": "user15", "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "96f6a3d6-d5aa-4af5-a77a-9319b5283712", "appDisplayName": "Bad App 1", "ipAddress": "120.1.121.35", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 118.0.0"}, "location": {"city": "Ohio", "state": "Ohio", "countryOrRegion": "US", "geoCoordinates": {"latitude": 20.756160736083984, "longitude": -23.99697875976562}}, "mfaDetail": {}, "correlationId": "5fe8ef18-f4a1-4b26-92a3-20bbf636261c", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "7541d4e0-2550-493e-9d69-0f3134202000", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 1016, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "homeTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "authenticationDetails": [{"authenticationStepDateTime": "2023-10-27T19:03:15.2758141+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "sessionLifetimePolicies": [], "authenticationRequirement": "multiFactorAuthentication", "alternateSignInName": "user15@splunkresearch.onmicrosoft.com", "signInIdentifier": "user15@splunkresearch.onmicrosoft.com", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "4NRBdVAlPkmdaQ8xNCAgAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "56ad242f-e13b-47fc-8de8-19e3bf6f6575", "rngcStatus": 0, "signInTokenProtectionStatus": "none", "originalTransferMethod": "none"}} {"time": "2023-10-27T19:05:37.5130391Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultType": "50074", "resultSignature": "None", "resultDescription": "Strong Authentication is required.", "durationMs": 0, "callerIpAddress": "120.1.121.35", "correlationId": "5fe8ef18-f4a1-4b26-92a3-20bbf636261c", "identity": "user15", "Level": 4, "location": "US", "properties": {"id": "87e6b858-0c76-47bf-8b21-590560401d00", "createdDateTime": "2023-10-27T19:02:49.9417489+00:00", "userDisplayName": "user15", "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "96f6a3d6-d5aa-4af5-a77a-9319b5283712", "appDisplayName": "Bad App 1", "ipAddress": "120.1.121.35", "status": {"errorCode": 50074, "failureReason": "Strong Authentication is required.", "additionalDetails": "MFA successfully completed"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 118.0.0"}, "location": {"city": "Ohio", "state": "Ohio", "countryOrRegion": "US", "geoCoordinates": {"latitude": 20.756160736083984, "longitude": -23.99697875976562}}, "mfaDetail": {"authMethod": "Mobile app notification"}, "correlationId": "5fe8ef18-f4a1-4b26-92a3-20bbf636261c", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "87e6b858-0c76-47bf-8b21-590560401d00", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 204, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "homeTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "authenticationDetails": [{"authenticationStepDateTime": "2023-10-27T19:02:49.9417489+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 0}, {"authenticationStepDateTime": "2023-10-27T19:02:51+00:00", "authenticationMethod": "Mobile app notification", "succeeded": false, "authenticationStepResultDetail": "Authentication in progress", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 1698433370272}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "sessionLifetimePolicies": [], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "WLjmh3YMv0eLIVkFYEAdAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "56ad242f-e13b-47fc-8de8-19e3bf6f6575", "rngcStatus": 0, "signInTokenProtectionStatus": "none", "originalTransferMethod": "none"}} {"time": "2023-10-27T19:05:24.5602883Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultType": "50074", "resultSignature": "None", "resultDescription": "Strong Authentication is required.", "durationMs": 0, "callerIpAddress": "120.1.121.35", "correlationId": "5fe8ef18-f4a1-4b26-92a3-20bbf636261c", "identity": "user15", "Level": 4, "location": "US", "properties": {"id": "87e6b858-0c76-47bf-8b21-590560401d00", "createdDateTime": "2023-10-27T19:02:49.9417489+00:00", "userDisplayName": "user15", "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "96f6a3d6-d5aa-4af5-a77a-9319b5283712", "appDisplayName": "Bad App 1", "ipAddress": "120.1.121.35", "status": {"errorCode": 50074, "failureReason": "Strong Authentication is required.", "additionalDetails": "MFA successfully completed"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 118.0.0"}, "location": {"city": "Ohio", "state": "Ohio", "countryOrRegion": "US", "geoCoordinates": {"latitude": 20.756160736083984, "longitude": -23.99697875976562}}, "mfaDetail": {"authMethod": "Mobile app notification"}, "correlationId": "5fe8ef18-f4a1-4b26-92a3-20bbf636261c", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "87e6b858-0c76-47bf-8b21-590560401d00", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 204, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "homeTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "authenticationDetails": [{"authenticationStepDateTime": "2023-10-27T19:02:49.9417489+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 0}, {"authenticationStepDateTime": "2023-10-27T19:02:49.9417489+00:00", "authenticationMethod": "Mobile app notification", "succeeded": true, "authenticationStepResultDetail": "MFA successfully completed", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "sessionLifetimePolicies": [], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "WLjmh3YMv0eLIVkFYEAdAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "56ad242f-e13b-47fc-8de8-19e3bf6f6575", "rngcStatus": 0, "signInTokenProtectionStatus": "none", "originalTransferMethod": "none"}} {"time": "2023-10-27T19:04:57.7505121Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultType": "50074", "resultSignature": "None", "resultDescription": "Strong Authentication is required.", "durationMs": 0, "callerIpAddress": "120.1.121.35", "correlationId": "5fe8ef18-f4a1-4b26-92a3-20bbf636261c", "identity": "user15", "Level": 4, "location": "US", "properties": {"id": "87e6b858-0c76-47bf-8b21-590560401d00", "createdDateTime": "2023-10-27T19:02:49.9417489+00:00", "userDisplayName": "user15", "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "96f6a3d6-d5aa-4af5-a77a-9319b5283712", "appDisplayName": "Bad App 1", "ipAddress": "120.1.121.35", "status": {"errorCode": 50074, "failureReason": "Strong Authentication is required.", "additionalDetails": "Authentication in progress"}, "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", "deviceDetail": {"deviceId": "", "operatingSystem": "MacOs", "browser": "Chrome 118.0.0"}, "location": {"city": "Ohio", "state": "Ohio", "countryOrRegion": "US", "geoCoordinates": {"latitude": 20.756160736083984, "longitude": -23.99697875976562}}, "mfaDetail": {"authMethod": "Mobile app notification"}, "correlationId": "5fe8ef18-f4a1-4b26-92a3-20bbf636261c", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "87e6b858-0c76-47bf-8b21-590560401d00", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 204, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "homeTenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "authenticationDetails": [{"authenticationStepDateTime": "2023-10-27T19:02:49.9417489+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 0}, {"authenticationStepDateTime": "2023-10-27T19:02:49.9417489+00:00", "authenticationMethod": "Mobile app notification", "succeeded": false, "authenticationStepResultDetail": "Authentication in progress", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "sessionLifetimePolicies": [], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "WLjmh3YMv0eLIVkFYEAdAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "56ad242f-e13b-47fc-8de8-19e3bf6f6575", "rngcStatus": 0, "signInTokenProtectionStatus": "none", "originalTransferMethod": "none"}} {"time": "2023-10-27T19:03:15.2602322Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Consent to application", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "20.55.51.211", "correlationId": "e8f24ab7-b587-4a94-91f3-cb186133856d", "Level": 4, "properties": {"id": "Directory_e8f24ab7-b587-4a94-91f3-cb186133856d_IIML5_335468643", "category": "ApplicationManagement", "correlationId": "e8f24ab7-b587-4a94-91f3-cb186133856d", "result": "success", "resultReason": "", "activityDisplayName": "Consent to application", "activityDateTime": "2023-10-27T19:03:15.2602322+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"user": {"id": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "displayName": null, "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "ipAddress": "20.55.51.211", "roles": []}}, "targetResources": [{"id": "295afd33-03e9-4d61-a023-ebf08ab0d5ce", "displayName": "Bad App 1", "type": "ServicePrincipal", "modifiedProperties": [{"displayName": "ConsentContext.IsAdminConsent", "oldValue": null, "newValue": "\"False\""}, {"displayName": "ConsentContext.IsAppOnly", "oldValue": null, "newValue": "\"False\""}, {"displayName": "ConsentContext.OnBehalfOfAll", "oldValue": null, "newValue": "\"False\""}, {"displayName": "ConsentContext.Tags", "oldValue": null, "newValue": "\"WindowsAzureActiveDirectoryIntegratedApp\""}, {"displayName": "ConsentAction.Permissions", "oldValue": null, "newValue": "\"[] => [[Id: AAAAAAAAAAAAAAAAAAAAALSZcc5Sj_NGtUtP2B3pYeI2veRXIpdKSpcpcgPY4Aty, ClientId: 00000000-0000-0000-0000-000000000000, PrincipalId: 57e4bd36-9722-4a4a-9729-7203d8e00b72, ResourceId: ce7199b4-8f52-46f3-b54b-4fd81de961e2, ConsentType: Principal, Scope: Mail.Read Mail.Read.Shared Mail.ReadBasic Mail.ReadBasic.Shared Mail.ReadWrite Mail.ReadWrite.Shared Mail.Send Mail.Send.Shared User.Read, CreatedDateTime: , LastModifiedDateTime ]]; \""}, {"displayName": "TargetId.ServicePrincipalNames", "oldValue": null, "newValue": "\"96f6a3d6-d5aa-4af5-a77a-9319b5283712\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "EvoSTS"}, {"key": "AppId", "value": "96f6a3d6-d5aa-4af5-a77a-9319b5283712"}]}} {"time": "2023-10-27T19:03:15.2592316Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Add app role assignment grant to user", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "20.55.51.211", "correlationId": "e8f24ab7-b587-4a94-91f3-cb186133856d", "Level": 4, "properties": {"id": "Directory_e8f24ab7-b587-4a94-91f3-cb186133856d_IIML5_335468638", "category": "UserManagement", "correlationId": "e8f24ab7-b587-4a94-91f3-cb186133856d", "result": "success", "resultReason": "", "activityDisplayName": "Add app role assignment grant to user", "activityDateTime": "2023-10-27T19:03:15.2592316+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"user": {"id": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "displayName": null, "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "ipAddress": "20.55.51.211", "roles": []}}, "targetResources": [{"id": "295afd33-03e9-4d61-a023-ebf08ab0d5ce", "displayName": "Bad App 1", "type": "ServicePrincipal", "modifiedProperties": [{"displayName": "AppRole.Id", "oldValue": null, "newValue": "\"00000000-0000-0000-0000-000000000000\""}, {"displayName": "AppRole.Value", "oldValue": null, "newValue": "\"\""}, {"displayName": "AppRole.DisplayName", "oldValue": null, "newValue": "\"\""}, {"displayName": "AppRoleAssignment.CreatedDateTime", "oldValue": null, "newValue": "\"2023-10-27T19:03:15.1032233Z\""}, {"displayName": "AppRoleAssignment.LastModifiedDateTime", "oldValue": null, "newValue": "\"2023-10-27T19:03:15.1032233Z\""}, {"displayName": "User.ObjectID", "oldValue": null, "newValue": "\"57e4bd36-9722-4a4a-9729-7203d8e00b72\""}, {"displayName": "User.UPN", "oldValue": null, "newValue": "\"user15@splunkresearch.onmicrosoft.com\""}, {"displayName": "User.PUID", "oldValue": null, "newValue": "\"10032002CC029AE9\""}, {"displayName": "TargetId.ServicePrincipalNames", "oldValue": null, "newValue": "\"96f6a3d6-d5aa-4af5-a77a-9319b5283712\""}], "administrativeUnits": []}, {"id": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "displayName": null, "type": "User", "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "EvoSTS"}, {"key": "AppId", "value": "96f6a3d6-d5aa-4af5-a77a-9319b5283712"}]}} {"time": "2023-10-27T19:03:15.0822242Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Add delegated permission grant", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "20.55.51.211", "correlationId": "e8f24ab7-b587-4a94-91f3-cb186133856d", "Level": 4, "properties": {"id": "Directory_e8f24ab7-b587-4a94-91f3-cb186133856d_IIML5_335467814", "category": "ApplicationManagement", "correlationId": "e8f24ab7-b587-4a94-91f3-cb186133856d", "result": "success", "resultReason": "", "activityDisplayName": "Add delegated permission grant", "activityDateTime": "2023-10-27T19:03:15.0822242+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"user": {"id": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "displayName": null, "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "ipAddress": "20.55.51.211", "roles": []}}, "targetResources": [{"id": "ce7199b4-8f52-46f3-b54b-4fd81de961e2", "displayName": "Microsoft Graph", "type": "ServicePrincipal", "modifiedProperties": [{"displayName": "DelegatedPermissionGrant.Scope", "oldValue": null, "newValue": "\"Mail.Read Mail.Read.Shared Mail.ReadBasic Mail.ReadBasic.Shared Mail.ReadWrite Mail.ReadWrite.Shared Mail.Send Mail.Send.Shared User.Read\""}, {"displayName": "DelegatedPermissionGrant.ConsentType", "oldValue": null, "newValue": "\"Principal\""}, {"displayName": "ServicePrincipal.ObjectID", "oldValue": null, "newValue": "\"295afd33-03e9-4d61-a023-ebf08ab0d5ce\""}, {"displayName": "ServicePrincipal.DisplayName", "oldValue": null, "newValue": null}, {"displayName": "ServicePrincipal.AppId", "oldValue": null, "newValue": null}, {"displayName": "ServicePrincipal.Name", "oldValue": null, "newValue": null}, {"displayName": "TargetId.ServicePrincipalNames", "oldValue": null, "newValue": "\"00000003-0000-0000-c000-000000000000;00000003-0000-0000-c000-000000000000/ags.windows.net;https://ags.windows.net;https://graph.microsoft.com;https://canary.graph.microsoft.com;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us;https://dod-graph.microsoft.us/;https://graph.microsoft.us/;https://canary.graph.microsoft.com/\""}], "administrativeUnits": []}, {"id": "295afd33-03e9-4d61-a023-ebf08ab0d5ce", "displayName": null, "type": "ServicePrincipal", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "EvoSTS"}, {"key": "AppId", "value": "00000003-0000-0000-c000-000000000000"}]}} {"time": "2023-10-27T19:03:14.9172152Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Add service principal", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "20.55.51.211", "correlationId": "e8f24ab7-b587-4a94-91f3-cb186133856d", "Level": 4, "properties": {"id": "Directory_e8f24ab7-b587-4a94-91f3-cb186133856d_IIML5_335467140", "category": "ApplicationManagement", "correlationId": "e8f24ab7-b587-4a94-91f3-cb186133856d", "result": "success", "resultReason": "", "activityDisplayName": "Add service principal", "activityDateTime": "2023-10-27T19:03:14.9172152+00:00", "loggedByService": "Core Directory", "operationType": "Add", "userAgent": null, "initiatedBy": {"user": {"id": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "displayName": null, "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "ipAddress": "20.55.51.211", "roles": []}}, "targetResources": [{"id": "295afd33-03e9-4d61-a023-ebf08ab0d5ce", "displayName": "Bad App 1", "type": "ServicePrincipal", "modifiedProperties": [{"displayName": "AccountEnabled", "oldValue": "[]", "newValue": "[true]"}, {"displayName": "AppAddress", "oldValue": "[]", "newValue": "[{\"AddressType\":0,\"Address\":\"https://52.88.103.113:443/login/authorized\",\"ReplyAddressClientType\":1,\"ReplyAddressIndex\":null,\"IsReplyAddressDefault\":false}]"}, {"displayName": "AppPrincipalId", "oldValue": "[]", "newValue": "[\"96f6a3d6-d5aa-4af5-a77a-9319b5283712\"]"}, {"displayName": "DisplayName", "oldValue": "[]", "newValue": "[\"Bad App 1\"]"}, {"displayName": "ServicePrincipalName", "oldValue": "[]", "newValue": "[\"96f6a3d6-d5aa-4af5-a77a-9319b5283712\"]"}, {"displayName": "Credential", "oldValue": "[]", "newValue": "[{\"CredentialType\":2,\"KeyStoreId\":\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\"KeyGroupId\":\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"}]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"AccountEnabled, AppAddress, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\""}, {"displayName": "TargetId.ServicePrincipalNames", "oldValue": null, "newValue": "\"96f6a3d6-d5aa-4af5-a77a-9319b5283712\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "EvoSTS"}, {"key": "AppId", "value": "96f6a3d6-d5aa-4af5-a77a-9319b5283712"}]}} {"time": "2023-10-27T19:03:00.2388464Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Update user", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "52.150.52.244", "correlationId": "01384a91-ee99-4da9-8e2b-0319646c8c3f", "identity": "Azure MFA StrongAuthenticationService", "Level": 4, "properties": {"id": "Directory_01384a91-ee99-4da9-8e2b-0319646c8c3f_8EISR_378664447", "category": "UserManagement", "correlationId": "01384a91-ee99-4da9-8e2b-0319646c8c3f", "result": "success", "resultReason": "", "activityDisplayName": "Update user", "activityDateTime": "2023-10-27T19:03:00.2388464+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"app": {"appId": null, "displayName": "Azure MFA StrongAuthenticationService", "servicePrincipalId": "e80590c4-87c0-491b-829b-11d2e23ea384", "servicePrincipalName": null}}, "targetResources": [{"id": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "displayName": null, "type": "User", "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "modifiedProperties": [{"displayName": "StrongAuthenticationPhoneAppDetail", "oldValue": "[{\"DeviceName\":\"iPhone 14 Pro\",\"DeviceToken\":\"apns2-315bda511c965fa511e658a9b5afe1481667ae0b694ee14f9ef6d6bb3ad51432\",\"DeviceTag\":\"SoftwareTokenActivated\",\"PhoneAppVersion\":\"6.7.15\",\"OathTokenTimeDrift\":0,\"DeviceId\":\"00000000-0000-0000-0000-000000000000\",\"Id\":\"6a53b3ef-9cdd-432f-b194-6fc3668280b3\",\"TimeInterval\":0,\"AuthenticationType\":3,\"NotificationType\":2,\"LastAuthenticatedTimestamp\":\"2023-10-27T16:14:14.1624453Z\",\"AuthenticatorFlavor\":null,\"HashFunction\":null,\"TenantDeviceId\":null,\"SecuredPartitionId\":0,\"SecuredKeyId\":0}]", "newValue": "[{\"DeviceName\":\"iPhone 14 Pro\",\"DeviceToken\":\"apns2-315bda511c965fa511e658a9b5afe1481667ae0b694ee14f9ef6d6bb3ad51432\",\"DeviceTag\":\"SoftwareTokenActivated\",\"PhoneAppVersion\":\"6.7.15\",\"OathTokenTimeDrift\":-1,\"DeviceId\":\"00000000-0000-0000-0000-000000000000\",\"Id\":\"6a53b3ef-9cdd-432f-b194-6fc3668280b3\",\"TimeInterval\":0,\"AuthenticationType\":3,\"NotificationType\":2,\"LastAuthenticatedTimestamp\":\"2023-10-27T16:14:14.1624453Z\",\"AuthenticatorFlavor\":null,\"HashFunction\":null,\"TenantDeviceId\":null,\"SecuredPartitionId\":0,\"SecuredKeyId\":0}]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"StrongAuthenticationPhoneAppDetail\""}, {"displayName": "TargetId.UserType", "oldValue": null, "newValue": "\"Member\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "UserType", "value": "Member"}]}}