7 строки
8.9 KiB
Plaintext
7 строки
8.9 KiB
Plaintext
TenantId,SourceSystem,TimeGenerated [UTC],Computer,RawData,report_time_t [UTC],id_g,date_s,receive_time_s,alert_source_s,raw_s,alert_name_s,parsed_s,context_s,actions_s,prediction_s,updated_by_s,incident_s,source_s,Type
|
|
00000000-0000-0000-0000-000000000000,RestAPI,"7/30/2023, 7:19:16.731 PM",,,"7/30/2023, 7:19:15.361 PM",00000000-0000-0000-0000-000000000001,7/30/2023,1690744624,sentinel,"{'custom_details': {}, 'earliest': '2023-07-16 19:12:00Z', 'entities': [{'$id': '3', 'Name': 'Partner-Integration', 'Type': 'account'}], 'incident_id': 550, 'latest': '2023-07-30 19:12:01Z'}",Service Principal Authentication Attempt from New Country,"{'earliest': '2023-07-16 19:12:00Z', 'entities': [{'$id': '3', 'Name': 'Partner-Integration', 'Type': 'account'}], 'incident_id': 550, 'latest': '2023-07-30 19:12:01Z', 'account': ['Partner-Integration'], 'alert_name': 'Service Principal Authentication Attempt from New Country'}","{'action': ['authentication'], 'account': ['shared_access_key']}","['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922']","[0.8330117799341679, 0.8330117799341679]",[],1,Salem,SalemAlerts_CL
|
|
00000000-0000-0000-0000-000000000002,RestAPI,"7/27/2023, 11:13:26.097 AM",,,"7/27/2023, 11:13:24.722 AM",00000000-0000-0000-0000-000000000003,7/27/2023,1690456295,sentinel,"{'custom_details': {'app': ['Miro'], 'account': ['jan.bragg@example.com'], 'result': ['50074'], 'description': ['Strong Authentication is required.']}, 'earliest': '2023-07-26 11:06:30Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'Type': 'account'}, {'$id': '4', 'Address': '2600:0000:0000:0000:0000:0000:0000:f0e1', 'Type': 'ip'}], 'incident_id': 543, 'latest': '2023-07-27 11:06:31Z'}",Successful logon from IP and failure from a different IP,"{'custom_details__app': ['Miro'], 'custom_details__account': ['jan.bragg@example.com'], 'custom_details__result': ['50074'], 'custom_details__description': ['Strong Authentication is required.'], 'earliest': '2023-07-26 11:06:30Z', 'entities': [{'$id': '3', 'Name': jan.bragg', 'UPNSuffix': 'example.com', 'Type': 'account'}, {'$id': '4', 'Address': '2600:0000:0000:0000:0000:0000:0000:f0e1', 'Type': 'ip'}], 'incident_id': 543, 'latest': '2023-07-27 11:06:31Z', 'account': ['jan.bragg'], 'alert_name': 'Successful logon from IP and failure from a different IP'}","{'action': ['authentication'], 'dest': ['cloud_service'], 'program':['approved_program']}","['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922', 'UserGen_action.failure_1680017671', 'UserGen_action.failure_1680099173', 'UserGen_action.failure_1680532569', 'UserGen_action.failure_1688659161']","[0.4487365037202835, 0.2812345498983101]",[],0,Salem,SalemAlerts_CL
|
|
00000000-0000-0000-0000-000000000003,RestAPI,"7/27/2023, 7:35:38.856 PM",,,"7/27/2023, 7:35:37.094 PM",00000000-0000-0000-0000-000000000004,7/27/2023,1690486413,sentinel,"{'custom_details': {}, 'earliest': '2023-07-20 19:28:29Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': 'jan.bragg@example.com', 'Type': 'account'}, {'$id': '4', 'Address': '123.123.123.123', 'Type': 'ip'}], 'incident_id': 544, 'latest': '2023-07-27 19:28:30Z'}",Failed login attempts to Azure Portal,"{'earliest': '2023-07-20 19:28:29Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': 'jan.bragg@example.com', 'Type': 'account'}, {'$id': '4', 'Address': '123.123.123.123', 'Type': 'ip'}], 'incident_id': 544, 'latest': '2023-07-27 19:28:30Z', 'account': ['jan.bragg'], 'alert_name': 'Failed login attempts to Azure Portal'}","{'action': ['authentication', 'expected_aciton'], 'dest': ['cloud_service']}","['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922']","[0.4976343959569931, 0.1197867461203676]",[],0,Salem,SalemAlerts_CL
|
|
00000000-0000-0000-0000-000000000004,RestAPI,"7/27/2023, 7:53:22.111 PM",,,"7/27/2023, 7:53:21.738 PM",00000000-0000-0000-0000-000000000005,7/27/2023,1690487481,sentinel,"{'custom_details': {'country': ['LV'], 'user_agent': ['[""Dalvik/2.1.0 (Linux; U; Android 13; Pixel 6 Build/TQ3A.230705.001) ;Pixel 6""]'], 'src_host': ['[""""]'], 'src_ip': ['[""123.123.123.123""]'], 'result': ['[""0 - ""]'], 'user': ['jan.bragg@example.com']}, 'earliest': '2023-07-13 19:46:17Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': 'jan.bragg@example.com', 'Type': 'account'}], 'incident_id': 545, 'latest': '2023-07-27 19:46:18Z'}",Authentication Attempt from New Country,"{'custom_details__country': ['LV'], 'custom_details__user_agent': ['[""Dalvik/2.1.0 (Linux; U; Android 13; Pixel 6 Build/TQ3A.230705.001) ;Pixel 6""]'], 'custom_details__src_host': ['[""""]'], 'custom_details__src_ip': ['[""123.123.123.123""]'], 'custom_details__result': ['[""0 - ""]'], 'custom_details__user': ['jan.bragg@example.com'], 'earliest': '2023-07-13 19:46:17Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': 'jan.bragg@example.com', 'Type': 'account'}], 'incident_id': 545, 'latest': '2023-07-27 19:46:18Z', 'account': ['jan.bragg'], 'alert_name': 'Authentication Attempt from New Country'}","{'action': ['authentication'] 'account': ['on_travel', 'domain_account']}","['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922', 'UserGen_action.failure_1680017671', 'UserGen_action.unapproved_action_1680017995', 'UserGen_action.failure_1680099173', 'UserGen_action.failure_1680532569', 'UserGen_action.failure_1688659161']","[0.4487365037202835, 0.3422004755431098]",[],0,Salem,SalemAlerts_CL
|
|
00000000-0000-0000-0000-000000000006,RestAPI,"7/25/2023, 2:42:40.263 PM",,,"7/25/2023, 2:42:37.783 PM",00000000-0000-0000-0000-000000000007,7/25/2023,1690296007,sentinel,"{'custom_details': {'city': ['Mumbai'], 'src_os': ['Windows 10'], 'account': ['jan.bragg@example.com'], 'process': ['Edge 18.19045'], 'logon_type': ['AADNonInteractiveUserSignInLogs'], 'region': ['IN'], 'src': ['[""123.123.123.123"",""123.123.123.124""]'], 'app': ['Microsoft Office'], 'result': ['[""failure""]']}, 'earliest': '2023-07-24 14:35:02Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': 'jan.bragg@example.com', 'Type': 'account'}], 'incident_id': 541, 'latest': '2023-07-25 14:35:03Z'}",Attempt to bypass conditional access rule in Azure AD,"{'custom_details__city': ['Mumbai'], 'custom_details__src_os': ['Windows 10'], 'custom_details__account': ['jan.bragg@example.com'], 'custom_details__process': ['Edge 18.19045'], 'custom_details__logon_type': ['AADNonInteractiveUserSignInLogs'], 'custom_details__region': ['IN'], 'custom_details__src': ['[""123.123.123.123"",""123.123.123.124""]'], 'custom_details__app': ['Microsoft Office'], 'custom_details__result': ['[""failure""]'], 'earliest': '2023-07-24 14:35:02Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': 'jan.bragg@example.com', 'Type': 'account'}], 'incident_id': 541, 'latest': '2023-07-25 14:35:03Z', 'account': ['jan.bragg'], 'alert_name': 'Attempt to bypass conditional access rule in Azure AD'}","{'dest': ['cloud_service'], 'action': ['authentication', 'failure'], 'account':['mfa_enabled']}","['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922', 'UserGen_action.failure_1680017671', 'UserGen_action.failure_1680099173', 'UserGen_action.failure_1680532569', 'UserGen_action.failure_1688659161']","[0.49763429164886475, 0.0329890876554427]",[],0,Salem,SalemAlerts_CL
|