8.9 KiB
8.9 KiB
| 1 | TenantId | SourceSystem | TimeGenerated [UTC] | Computer | RawData | report_time_t [UTC] | id_g | date_s | receive_time_s | alert_source_s | raw_s | alert_name_s | parsed_s | context_s | actions_s | prediction_s | updated_by_s | incident_s | source_s | Type |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2 | 00000000-0000-0000-0000-000000000000 | RestAPI | 7/30/2023, 7:19:16.731 PM | 7/30/2023, 7:19:15.361 PM | 00000000-0000-0000-0000-000000000001 | 7/30/2023 | 1690744624 | sentinel | {'custom_details': {}, 'earliest': '2023-07-16 19:12:00Z', 'entities': [{'$id': '3', 'Name': 'Partner-Integration', 'Type': 'account'}], 'incident_id': 550, 'latest': '2023-07-30 19:12:01Z'} | Service Principal Authentication Attempt from New Country | {'earliest': '2023-07-16 19:12:00Z', 'entities': [{'$id': '3', 'Name': 'Partner-Integration', 'Type': 'account'}], 'incident_id': 550, 'latest': '2023-07-30 19:12:01Z', 'account': ['Partner-Integration'], 'alert_name': 'Service Principal Authentication Attempt from New Country'} | {'action': ['authentication'], 'account': ['shared_access_key']} | ['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922'] | [0.8330117799341679, 0.8330117799341679] | [] | 1 | Salem | SalemAlerts_CL | ||
| 3 | 00000000-0000-0000-0000-000000000002 | RestAPI | 7/27/2023, 11:13:26.097 AM | 7/27/2023, 11:13:24.722 AM | 00000000-0000-0000-0000-000000000003 | 7/27/2023 | 1690456295 | sentinel | {'custom_details': {'app': ['Miro'], 'account': ['jan.bragg@example.com'], 'result': ['50074'], 'description': ['Strong Authentication is required.']}, 'earliest': '2023-07-26 11:06:30Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'Type': 'account'}, {'$id': '4', 'Address': '2600:0000:0000:0000:0000:0000:0000:f0e1', 'Type': 'ip'}], 'incident_id': 543, 'latest': '2023-07-27 11:06:31Z'} | Successful logon from IP and failure from a different IP | {'custom_details__app': ['Miro'], 'custom_details__account': ['jan.bragg@example.com'], 'custom_details__result': ['50074'], 'custom_details__description': ['Strong Authentication is required.'], 'earliest': '2023-07-26 11:06:30Z', 'entities': [{'$id': '3', 'Name': jan.bragg', 'UPNSuffix': 'example.com', 'Type': 'account'}, {'$id': '4', 'Address': '2600:0000:0000:0000:0000:0000:0000:f0e1', 'Type': 'ip'}], 'incident_id': 543, 'latest': '2023-07-27 11:06:31Z', 'account': ['jan.bragg'], 'alert_name': 'Successful logon from IP and failure from a different IP'} | {'action': ['authentication'], 'dest': ['cloud_service'], 'program':['approved_program']} | ['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922', 'UserGen_action.failure_1680017671', 'UserGen_action.failure_1680099173', 'UserGen_action.failure_1680532569', 'UserGen_action.failure_1688659161'] | [0.4487365037202835, 0.2812345498983101] | [] | 0 | Salem | SalemAlerts_CL | ||
| 4 | 00000000-0000-0000-0000-000000000003 | RestAPI | 7/27/2023, 7:35:38.856 PM | 7/27/2023, 7:35:37.094 PM | 00000000-0000-0000-0000-000000000004 | 7/27/2023 | 1690486413 | sentinel | {'custom_details': {}, 'earliest': '2023-07-20 19:28:29Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': 'jan.bragg@example.com', 'Type': 'account'}, {'$id': '4', 'Address': '123.123.123.123', 'Type': 'ip'}], 'incident_id': 544, 'latest': '2023-07-27 19:28:30Z'} | Failed login attempts to Azure Portal | {'earliest': '2023-07-20 19:28:29Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': 'jan.bragg@example.com', 'Type': 'account'}, {'$id': '4', 'Address': '123.123.123.123', 'Type': 'ip'}], 'incident_id': 544, 'latest': '2023-07-27 19:28:30Z', 'account': ['jan.bragg'], 'alert_name': 'Failed login attempts to Azure Portal'} | {'action': ['authentication', 'expected_aciton'], 'dest': ['cloud_service']} | ['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922'] | [0.4976343959569931, 0.1197867461203676] | [] | 0 | Salem | SalemAlerts_CL | ||
| 5 | 00000000-0000-0000-0000-000000000004 | RestAPI | 7/27/2023, 7:53:22.111 PM | 7/27/2023, 7:53:21.738 PM | 00000000-0000-0000-0000-000000000005 | 7/27/2023 | 1690487481 | sentinel | {'custom_details': {'country': ['LV'], 'user_agent': ['["Dalvik/2.1.0 (Linux; U; Android 13; Pixel 6 Build/TQ3A.230705.001) ;Pixel 6"]'], 'src_host': ['[""]'], 'src_ip': ['["123.123.123.123"]'], 'result': ['["0 - "]'], 'user': ['jan.bragg@example.com']}, 'earliest': '2023-07-13 19:46:17Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': 'jan.bragg@example.com', 'Type': 'account'}], 'incident_id': 545, 'latest': '2023-07-27 19:46:18Z'} | Authentication Attempt from New Country | {'custom_details__country': ['LV'], 'custom_details__user_agent': ['["Dalvik/2.1.0 (Linux; U; Android 13; Pixel 6 Build/TQ3A.230705.001) ;Pixel 6"]'], 'custom_details__src_host': ['[""]'], 'custom_details__src_ip': ['["123.123.123.123"]'], 'custom_details__result': ['["0 - "]'], 'custom_details__user': ['jan.bragg@example.com'], 'earliest': '2023-07-13 19:46:17Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': 'jan.bragg@example.com', 'Type': 'account'}], 'incident_id': 545, 'latest': '2023-07-27 19:46:18Z', 'account': ['jan.bragg'], 'alert_name': 'Authentication Attempt from New Country'} | {'action': ['authentication'] 'account': ['on_travel', 'domain_account']} | ['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922', 'UserGen_action.failure_1680017671', 'UserGen_action.unapproved_action_1680017995', 'UserGen_action.failure_1680099173', 'UserGen_action.failure_1680532569', 'UserGen_action.failure_1688659161'] | [0.4487365037202835, 0.3422004755431098] | [] | 0 | Salem | SalemAlerts_CL | ||
| 6 | 00000000-0000-0000-0000-000000000006 | RestAPI | 7/25/2023, 2:42:40.263 PM | 7/25/2023, 2:42:37.783 PM | 00000000-0000-0000-0000-000000000007 | 7/25/2023 | 1690296007 | sentinel | {'custom_details': {'city': ['Mumbai'], 'src_os': ['Windows 10'], 'account': ['jan.bragg@example.com'], 'process': ['Edge 18.19045'], 'logon_type': ['AADNonInteractiveUserSignInLogs'], 'region': ['IN'], 'src': ['["123.123.123.123","123.123.123.124"]'], 'app': ['Microsoft Office'], 'result': ['["failure"]']}, 'earliest': '2023-07-24 14:35:02Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': 'jan.bragg@example.com', 'Type': 'account'}], 'incident_id': 541, 'latest': '2023-07-25 14:35:03Z'} | Attempt to bypass conditional access rule in Azure AD | {'custom_details__city': ['Mumbai'], 'custom_details__src_os': ['Windows 10'], 'custom_details__account': ['jan.bragg@example.com'], 'custom_details__process': ['Edge 18.19045'], 'custom_details__logon_type': ['AADNonInteractiveUserSignInLogs'], 'custom_details__region': ['IN'], 'custom_details__src': ['["123.123.123.123","123.123.123.124"]'], 'custom_details__app': ['Microsoft Office'], 'custom_details__result': ['["failure"]'], 'earliest': '2023-07-24 14:35:02Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': 'jan.bragg@example.com', 'Type': 'account'}], 'incident_id': 541, 'latest': '2023-07-25 14:35:03Z', 'account': ['jan.bragg'], 'alert_name': 'Attempt to bypass conditional access rule in Azure AD'} | {'dest': ['cloud_service'], 'action': ['authentication', 'failure'], 'account':['mfa_enabled']} | ['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922', 'UserGen_action.failure_1680017671', 'UserGen_action.failure_1680099173', 'UserGen_action.failure_1680532569', 'UserGen_action.failure_1688659161'] | [0.49763429164886475, 0.0329890876554427] | [] | 0 | Salem | SalemAlerts_CL |