{"time": "2023-10-26T19:23:11.5443926Z", "resourceId": "/tenants/5f210575-a69b-41a7-b623-3f6d79ccd432/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "5f210575-a69b-41a7-b623-3f6d79ccd432", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "1.2.3.4", "correlationId": "5e79bf5d-970d-4972-863a-99dd65802172", "identity": "attacker Edwards", "Level": 4, "location": "US", "properties": {"id": "ff99e1ff-504f-42d4-a4b7-d8d20da40000", "createdDateTime": "2023-10-26T19:21:26.7759784+00:00", "userDisplayName": "attacker Edwards", "userPrincipalName": "attacker@splunkresearch.onmicrosoft.com", "userId": "e4c722ac-3b83-478d-8f52-c388885dc30f", "appId": "1b730954-1685-4b74-9bfd-dac224a7b894", "appDisplayName": "Azure Active Directory PowerShell", "ipAddress": "1.2.3.4", "status": {"errorCode": 0}, "clientAppUsed": "Mobile Apps and Desktop clients", "userAgent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E)", "deviceDetail": {"deviceId": "", "operatingSystem": "Windows10", "browser": "IE 7.0"}, "location": {"city": "Rochester", "state": "Rochester", "countryOrRegion": "US", "geoCoordinates": {"latitude": 32.756160736083984, "7gitude": -22.99697875976562}}, "correlationId": "5e79bf5d-970d-4972-863a-99dd65802172", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "ff99e1ff-504f-42d4-a4b7-d8d20da40000", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 91, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "5f210575-a69b-41a7-b623-3f6d79ccd432", "homeTenantId": "5f210575-a69b-41a7-b623-3f6d79ccd432", "tenantId": "5f210575-a69b-41a7-b623-3f6d79ccd432", "authenticationDetails": [{"authenticationStepDateTime": "2023-10-26T19:21:26.7759784+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 0}], "authenticationRequirementPolicies": [], "sessionLifetimePolicies": [], "authenticationRequirement": "singleFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "_-GZ_09Q1EKkt9jSDaQAAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "56ad242f-e13b-47fc-8de8-19e3bf6f6575", "rngcStatus": 0, "signInTokenProtectionStatus": "none", "originalTransferMethod": "none"}} {"time": "2023-10-26T19:22:20.2814027Z", "resourceId": "/tenants/5f210575-a69b-41a7-b623-3f6d79ccd432/providers/Microsoft.aadiam", "operationName": "Update authorization policy", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "5f210575-a69b-41a7-b623-3f6d79ccd432", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "1.2.3.4", "correlationId": "cc46d719-4c0f-4b78-8795-b0d6ca5b2065", "Level": 4, "properties": {"id": "Directory_cc46d719-4c0f-4b78-8795-b0d6ca5b2065_6CH7M_196574953", "category": "AuthorizationPolicy", "correlationId": "cc46d719-4c0f-4b78-8795-b0d6ca5b2065", "result": "success", "resultReason": "", "activityDisplayName": "Update authorization policy", "activityDateTime": "2023-10-26T19:22:20.2814027+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "e4c722ac-3b83-478d-8f52-c388885dc30f", "displayName": null, "userPrincipalName": "attacker@splunkresearch.onmicrosoft.com", "ipAddress": "1.2.3.4", "roles": []}}, "targetResources": [{"id": "24484114-1daa-4700-aaf7-44ee5cbe5678", "displayName": "Authorization Policy", "type": "Other", "modifiedProperties": [{"displayName": "AllowUserConsentForRiskyApps", "oldValue": "[false]", "newValue": "[true]"}, {"displayName": "PermissionGrantPolicyIdsAssignedToDefaultUserRole", "oldValue": "[\"ManagePermissionGrantsForSelf.microsoft-user-default-legacy\"]", "newValue": "[\"microsoft-user-default-legacy\"]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"AllowUserConsentForRiskyApps, PermissionGrantPolicyIdsAssignedToDefaultUserRole\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Swagger-Codegen/1.0.0.0/csharp/msal"}]}} {"time": "2023-10-26T19:22:20.1384008Z", "resourceId": "/tenants/5f210575-a69b-41a7-b623-3f6d79ccd432/providers/Microsoft.aadiam", "operationName": "Update company settings", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "5f210575-a69b-41a7-b623-3f6d79ccd432", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "1.2.3.4", "correlationId": "cc46d719-4c0f-4b78-8795-b0d6ca5b2065", "Level": 4, "properties": {"id": "Directory_cc46d719-4c0f-4b78-8795-b0d6ca5b2065_6CH7M_196574424", "category": "DirectoryManagement", "correlationId": "cc46d719-4c0f-4b78-8795-b0d6ca5b2065", "result": "success", "resultReason": "", "activityDisplayName": "Update company settings", "activityDateTime": "2023-10-26T19:22:20.1384008+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "e4c722ac-3b83-478d-8f52-c388885dc30f", "displayName": null, "userPrincipalName": "attacker@splunkresearch.onmicrosoft.com", "ipAddress": "1.2.3.4", "roles": []}}, "targetResources": [{"id": "5f210575-a69b-41a7-b623-3f6d79ccd432", "displayName": "SplunkResearch", "type": "Directory", "modifiedProperties": [{"displayName": "ObjectSettings", "oldValue": "[{\"Settings\":[{\"Id\":\"7c5bf263-e0ee-47d6-8c5d-f1f14ef912a1\",\"ObjectSettingTemplateId\":\"dffd5d46-495d-40a9-8e21-954ff55e198a\",\"Properties\":[{\"Key\":\"EnableGroupSpecificConsent\",\"Value\":\"true\"},{\"Key\":\"BlockUserConsentForRiskyApps\",\"Value\":\"True\"},{\"Key\":\"EnableAdminConsentRequests\",\"Value\":\"false\"},{\"Key\":\"ConstrainGroupSpecificConsentToMembersOfGroupId\",\"Value\":\"\"}]}]}]", "newValue": "[{\"Settings\":[{\"Id\":\"7c5bf263-e0ee-47d6-8c5d-f1f14ef912a1\",\"ObjectSettingTemplateId\":\"dffd5d46-495d-40a9-8e21-954ff55e198a\",\"Properties\":[{\"Key\":\"EnableGroupSpecificConsent\",\"Value\":\"true\"},{\"Key\":\"BlockUserConsentForRiskyApps\",\"Value\":\"False\"},{\"Key\":\"EnableAdminConsentRequests\",\"Value\":\"false\"},{\"Key\":\"ConstrainGroupSpecificConsentToMembersOfGroupId\",\"Value\":\"\"}]}]}]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"ObjectSettings\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Swagger-Codegen/1.0.0.0/csharp/msal"}]}}