We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml
False Positives - Reducing benign events mistakenly identified as threats.
the field: "o365.audit.UserId" contains "Not Available" which triggers alot of FP in our environment
{ "_index": ".ds-logs-o365.audit-default-2024.09.13-000024", "_id": "aosTfZGWFGbCpp7eqLYCXXpTM10=", "_score": 1, "_source": { "agent": { "name": "ingest", "id": "122e2782-81d0-447d-bfef-34dc2c293c6e", "type": "filebeat", "ephemeral_id": "71ba93f0-e1ca-44b7-8f78-ff120cce8729", "version": "8.14.3" }, "elastic_agent": { "id": "122e2782-81d0-447d-bfef-34dc2c293c6e", "version": "8.14.3", "snapshot": false }, "source": { "geo": { "region_iso_code": "BE-VOV", "continent_name": "Europe", "city_name": "Ghent", "country_iso_code": "BE", "country_name": "Belgium", "region_name": "East Flanders Province", "location": { "lon": 3.7206, "lat": 51.047 } }, "as": { "number": 6848, "organization": { "name": "Telenet BV" } }, "ip": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" }, "tags": [ "preserve_original_event", "forwarded", "o365-cel" ], "network": { "type": "ipv6" }, "o365": { "audit": { "AzureActiveDirectoryEventType": "1", "UserKey": "3e399962-2dcb-4f8a-b859-65d7d5933496", "ActorIpAddress": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4", "ExtendedProperties": { "ResultStatusDetail": "Success", "RequestType": "SAS:EndAuth" }, "IntraSystemId": "b3d78cbd-9c69-4a1e-ad80-84302e3d6e00", "Target": [ { "Type": "0", "ID": "00000002-0000-0ff1-ce00-000000000000" } ], "RecordType": "15", "Version": "1", "SupportTicketId": "", "Actor": [ { "Type": "0", "ID": "3e399962-2dcb-4f8a-b859-65d7d5933496" } ], "DeviceProperties": [ { "Value": "Ios", "Name": "OS" }, { "Value": "Safari", "Name": "BrowserType" } ], "ActorContextId": "99999999-9999-9999-9999-9999999999", "ResultStatus": "Success", "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ErrorNumber": "0", "UserId": "Not Available", "TargetContextId": "99999999-9999-9999-9999-9999999999", "CreationTime": "2024-09-25T09:08:06", "InterSystemsId": "e270bb9a-86ac-971a-586d-9a35f66c0979", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "UserType": "4" } }, "input": { "type": "cel" }, "@timestamp": "2024-09-25T09:08:06.000Z", "ecs": { "version": "8.11.0" }, "related": { "ip": [ "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" ] }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "o365.audit" }, "organization": { "id": "99999999-9999-9999-9999-9999999999" }, "host": { "id": "99999999-9999-9999-9999-9999999999" }, "client": { "address": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4", "ip": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" }, "event": { "agent_id_status": "verified", "ingested": "2024-09-25T09:15:46Z", "original": "{AzureActiveDirectoryEventType=1, UserKey=3e399962-2dcb-4f8a-b859-65d7d5933496, ActorIpAddress=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Operation=UserLoggedIn, OrganizationId=99999999-9999-9999-9999-9999999999, ExtendedProperties=[{Value=Success, Name=ResultStatusDetail}, {Value=Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1, Name=UserAgent}, {Value=SAS:EndAuth, Name=RequestType}], IntraSystemId=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, Target=[{Type=0, ID=00000002-0000-0ff1-ce00-000000000000}], RecordType=15, Version=1, SupportTicketId=, Actor=[{Type=0, ID=3e399962-2dcb-4f8a-b859-65d7d5933496}], DeviceProperties=[{Value=Ios, Name=OS}, {Value=Safari, Name=BrowserType}], ActorContextId=99999999-9999-9999-9999-9999999999, ResultStatus=Success, ObjectId=00000002-0000-0ff1-ce00-000000000000, ErrorNumber=0, ClientIP=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Workload=AzureActiveDirectory, UserId=Not Available, TargetContextId=99999999-9999-9999-9999-9999999999, CreationTime=2024-09-25T09:08:06, InterSystemsId=e270bb9a-86ac-971a-586d-9a35f66c0979, Id=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, ApplicationId=00000002-0000-0ff1-ce00-000000000000, UserType=4}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", "action": "UserLoggedIn", "id": "b3d78cbd-9c69-4a1e-ad80-84302e3d6e00", "type": [ "info", "start", "access" ], "category": [ "web", "authentication" ], "dataset": "o365.audit", "outcome": "success" }, "user": { "id": "Not Available" }, "user_agent": { "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1", "os": { "name": "iOS", "version": "16.7.8", "full": "iOS 16.7.8" }, "name": "Mobile Safari", "device": { "name": "iPhone" }, "version": "16.6" } }, "fields": { "o365.audit.SupportTicketId": [ "" ], "elastic_agent.version": [ "8.14.3" ], "event.category": [ "web", "authentication" ], "o365.audit.UserId": [ "Not Available" ], "o365.audit.ApplicationId": [ "00000002-0000-0ff1-ce00-000000000000" ], "user_agent.original.text": [ "Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" ], "o365.audit.DeviceProperties.Name": [ "OS", "BrowserType" ], "user_agent.os.version": [ "16.7.8" ], "client.address": [ "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" ], "o365.audit.TargetContextId": [ "99999999-9999-9999-9999-9999999999" ], "agent.name.text": [ "ingest" ], "source.geo.region_name": [ "East Flanders Province" ], "source.ip": [ "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" ], "agent.name": [ "ingest" ], "user_agent.version": [ "16.6" ], "event.agent_id_status": [ "verified" ], "source.geo.region_iso_code": [ "BE-VOV" ], "event.kind": [ "event" ], "o365.audit.Actor.Type": [ "0" ], "event.outcome": [ "success" ], "source.geo.city_name": [ "Ghent" ], "user_agent.original": [ "Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" ], "event.original": [ "{AzureActiveDirectoryEventType=1, UserKey=3e399962-2dcb-4f8a-b859-65d7d5933496, ActorIpAddress=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Operation=UserLoggedIn, OrganizationId=99999999-9999-9999-9999-9999999999, ExtendedProperties=[{Value=Success, Name=ResultStatusDetail}, {Value=Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1, Name=UserAgent}, {Value=SAS:EndAuth, Name=RequestType}], IntraSystemId=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, Target=[{Type=0, ID=00000002-0000-0ff1-ce00-000000000000}], RecordType=15, Version=1, SupportTicketId=, Actor=[{Type=0, ID=3e399962-2dcb-4f8a-b859-65d7d5933496}], DeviceProperties=[{Value=Ios, Name=OS}, {Value=Safari, Name=BrowserType}], ActorContextId=99999999-9999-9999-9999-9999999999, ResultStatus=Success, ObjectId=00000002-0000-0ff1-ce00-000000000000, ErrorNumber=0, ClientIP=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Workload=AzureActiveDirectory, UserId=Not Available, TargetContextId=99999999-9999-9999-9999-9999999999, CreationTime=2024-09-25T09:08:06, InterSystemsId=e270bb9a-86ac-971a-586d-9a35f66c0979, Id=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, ApplicationId=00000002-0000-0ff1-ce00-000000000000, UserType=4}" ], "user.id": [ "Not Available" ], "o365.audit.ExtendedProperties.ResultStatusDetail": [ "Success" ], "input.type": [ "cel" ], "client.ip": [ "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" ], "user_agent.name": [ "Mobile Safari" ], "data_stream.type": [ "logs" ], "o365.audit.ObjectId": [ "00000002-0000-0ff1-ce00-000000000000" ], "tags": [ "preserve_original_event", "forwarded", "o365-cel" ], "event.provider": [ "AzureActiveDirectory" ], "event.code": [ "AzureActiveDirectoryStsLogon" ], "agent.id": [ "122e2782-81d0-447d-bfef-34dc2c293c6e" ], "o365.audit.AzureActiveDirectoryEventType": [ "1" ], "ecs.version": [ "8.11.0" ], "o365.audit.RecordType": [ "15" ], "organization.id": [ "99999999-9999-9999-9999-9999999999" ], "agent.version": [ "8.14.3" ], "o365.audit.ActorContextId": [ "99999999-9999-9999-9999-9999999999" ], "source.as.number": [ 6848 ], "o365.audit.ErrorNumber": [ "0" ], "o365.audit.CreationTime": [ "2024-09-25T09:08:06" ], "user_agent.os.full": [ "iOS 16.7.8" ], "source.geo.location": [ { "coordinates": [ 3.7206, 51.047 ], "type": "Point" } ], "o365.audit.UserKey": [ "3e399962-2dcb-4f8a-b859-65d7d5933496" ], "user_agent.os.name.text": [ "iOS" ], "o365.audit.Version": [ "1" ], "user_agent.os.name": [ "iOS" ], "agent.type": [ "filebeat" ], "event.module": [ "o365" ], "related.ip": [ "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" ], "source.geo.country_iso_code": [ "BE" ], "elastic_agent.snapshot": [ false ], "o365.audit.InterSystemsId": [ "e270bb9a-86ac-971a-586d-9a35f66c0979" ], "host.id": [ "99999999-9999-9999-9999-9999999999" ], "network.type": [ "ipv6" ], "source.as.organization.name.text": [ "Telenet BV" ], "o365.audit.Target.Type": [ "0" ], "elastic_agent.id": [ "122e2782-81d0-447d-bfef-34dc2c293c6e" ], "data_stream.namespace": [ "default" ], "o365.audit.IntraSystemId": [ "b3d78cbd-9c69-4a1e-ad80-84302e3d6e00" ], "o365.audit.ActorIpAddress": [ "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" ], "source.as.organization.name": [ "Telenet BV" ], "source.geo.continent_name": [ "Europe" ], "o365.audit.ExtendedProperties.RequestType": [ "SAS:EndAuth" ], "o365.audit.Target.ID": [ "00000002-0000-0ff1-ce00-000000000000" ], "o365.audit.UserType": [ "4" ], "user_agent.device.name.text": [ "iPhone" ], "user_agent.os.full.text": [ "iOS 16.7.8" ], "event.action": [ "UserLoggedIn" ], "event.ingested": [ "2024-09-25T09:15:46Z" ], "o365.audit.ResultStatus": [ "Success" ], "@timestamp": [ "2024-09-25T09:08:06.000Z" ], "user_agent.name.text": [ "Mobile Safari" ], "data_stream.dataset": [ "o365.audit" ], "event.type": [ "info", "start", "access" ], "agent.ephemeral_id": [ "71ba93f0-e1ca-44b7-8f78-ff120cce8729" ], "o365.audit.DeviceProperties.Value": [ "Ios", "Safari" ], "event.id": [ "b3d78cbd-9c69-4a1e-ad80-84302e3d6e00" ], "source.geo.country_name": [ "Belgium" ], "user_agent.device.name": [ "iPhone" ], "event.dataset": [ "o365.audit" ], "o365.audit.Actor.ID": [ "3e399962-2dcb-4f8a-b859-65d7d5933496" ] } }
The text was updated successfully, but these errors were encountered:
o365.audit.UserId
terrancedejesus
No branches or pull requests
Link to Rule
https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml
Rule Tuning Type
False Positives - Reducing benign events mistakenly identified as threats.
Description
the field: "o365.audit.UserId" contains "Not Available" which triggers alot of FP in our environment
Example Data
{
"_index": ".ds-logs-o365.audit-default-2024.09.13-000024",
"_id": "aosTfZGWFGbCpp7eqLYCXXpTM10=",
"_score": 1,
"_source": {
"agent": {
"name": "ingest",
"id": "122e2782-81d0-447d-bfef-34dc2c293c6e",
"type": "filebeat",
"ephemeral_id": "71ba93f0-e1ca-44b7-8f78-ff120cce8729",
"version": "8.14.3"
},
"elastic_agent": {
"id": "122e2782-81d0-447d-bfef-34dc2c293c6e",
"version": "8.14.3",
"snapshot": false
},
"source": {
"geo": {
"region_iso_code": "BE-VOV",
"continent_name": "Europe",
"city_name": "Ghent",
"country_iso_code": "BE",
"country_name": "Belgium",
"region_name": "East Flanders Province",
"location": {
"lon": 3.7206,
"lat": 51.047
}
},
"as": {
"number": 6848,
"organization": {
"name": "Telenet BV"
}
},
"ip": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4"
},
"tags": [
"preserve_original_event",
"forwarded",
"o365-cel"
],
"network": {
"type": "ipv6"
},
"o365": {
"audit": {
"AzureActiveDirectoryEventType": "1",
"UserKey": "3e399962-2dcb-4f8a-b859-65d7d5933496",
"ActorIpAddress": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4",
"ExtendedProperties": {
"ResultStatusDetail": "Success",
"RequestType": "SAS:EndAuth"
},
"IntraSystemId": "b3d78cbd-9c69-4a1e-ad80-84302e3d6e00",
"Target": [
{
"Type": "0",
"ID": "00000002-0000-0ff1-ce00-000000000000"
}
],
"RecordType": "15",
"Version": "1",
"SupportTicketId": "",
"Actor": [
{
"Type": "0",
"ID": "3e399962-2dcb-4f8a-b859-65d7d5933496"
}
],
"DeviceProperties": [
{
"Value": "Ios",
"Name": "OS"
},
{
"Value": "Safari",
"Name": "BrowserType"
}
],
"ActorContextId": "99999999-9999-9999-9999-9999999999",
"ResultStatus": "Success",
"ObjectId": "00000002-0000-0ff1-ce00-000000000000",
"ErrorNumber": "0",
"UserId": "Not Available",
"TargetContextId": "99999999-9999-9999-9999-9999999999",
"CreationTime": "2024-09-25T09:08:06",
"InterSystemsId": "e270bb9a-86ac-971a-586d-9a35f66c0979",
"ApplicationId": "00000002-0000-0ff1-ce00-000000000000",
"UserType": "4"
}
},
"input": {
"type": "cel"
},
"@timestamp": "2024-09-25T09:08:06.000Z",
"ecs": {
"version": "8.11.0"
},
"related": {
"ip": [
"2a01:1812:1435:3a00:7878:bc52:41f2:56f4"
]
},
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "o365.audit"
},
"organization": {
"id": "99999999-9999-9999-9999-9999999999"
},
"host": {
"id": "99999999-9999-9999-9999-9999999999"
},
"client": {
"address": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4",
"ip": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4"
},
"event": {
"agent_id_status": "verified",
"ingested": "2024-09-25T09:15:46Z",
"original": "{AzureActiveDirectoryEventType=1, UserKey=3e399962-2dcb-4f8a-b859-65d7d5933496, ActorIpAddress=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Operation=UserLoggedIn, OrganizationId=99999999-9999-9999-9999-9999999999, ExtendedProperties=[{Value=Success, Name=ResultStatusDetail}, {Value=Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1, Name=UserAgent}, {Value=SAS:EndAuth, Name=RequestType}], IntraSystemId=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, Target=[{Type=0, ID=00000002-0000-0ff1-ce00-000000000000}], RecordType=15, Version=1, SupportTicketId=, Actor=[{Type=0, ID=3e399962-2dcb-4f8a-b859-65d7d5933496}], DeviceProperties=[{Value=Ios, Name=OS}, {Value=Safari, Name=BrowserType}], ActorContextId=99999999-9999-9999-9999-9999999999, ResultStatus=Success, ObjectId=00000002-0000-0ff1-ce00-000000000000, ErrorNumber=0, ClientIP=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Workload=AzureActiveDirectory, UserId=Not Available, TargetContextId=99999999-9999-9999-9999-9999999999, CreationTime=2024-09-25T09:08:06, InterSystemsId=e270bb9a-86ac-971a-586d-9a35f66c0979, Id=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, ApplicationId=00000002-0000-0ff1-ce00-000000000000, UserType=4}",
"code": "AzureActiveDirectoryStsLogon",
"provider": "AzureActiveDirectory",
"kind": "event",
"action": "UserLoggedIn",
"id": "b3d78cbd-9c69-4a1e-ad80-84302e3d6e00",
"type": [
"info",
"start",
"access"
],
"category": [
"web",
"authentication"
],
"dataset": "o365.audit",
"outcome": "success"
},
"user": {
"id": "Not Available"
},
"user_agent": {
"original": "Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1",
"os": {
"name": "iOS",
"version": "16.7.8",
"full": "iOS 16.7.8"
},
"name": "Mobile Safari",
"device": {
"name": "iPhone"
},
"version": "16.6"
}
},
"fields": {
"o365.audit.SupportTicketId": [
""
],
"elastic_agent.version": [
"8.14.3"
],
"event.category": [
"web",
"authentication"
],
"o365.audit.UserId": [
"Not Available"
],
"o365.audit.ApplicationId": [
"00000002-0000-0ff1-ce00-000000000000"
],
"user_agent.original.text": [
"Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
],
"o365.audit.DeviceProperties.Name": [
"OS",
"BrowserType"
],
"user_agent.os.version": [
"16.7.8"
],
"client.address": [
"2a01:1812:1435:3a00:7878:bc52:41f2:56f4"
],
"o365.audit.TargetContextId": [
"99999999-9999-9999-9999-9999999999"
],
"agent.name.text": [
"ingest"
],
"source.geo.region_name": [
"East Flanders Province"
],
"source.ip": [
"2a01:1812:1435:3a00:7878:bc52:41f2:56f4"
],
"agent.name": [
"ingest"
],
"user_agent.version": [
"16.6"
],
"event.agent_id_status": [
"verified"
],
"source.geo.region_iso_code": [
"BE-VOV"
],
"event.kind": [
"event"
],
"o365.audit.Actor.Type": [
"0"
],
"event.outcome": [
"success"
],
"source.geo.city_name": [
"Ghent"
],
"user_agent.original": [
"Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
],
"event.original": [
"{AzureActiveDirectoryEventType=1, UserKey=3e399962-2dcb-4f8a-b859-65d7d5933496, ActorIpAddress=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Operation=UserLoggedIn, OrganizationId=99999999-9999-9999-9999-9999999999, ExtendedProperties=[{Value=Success, Name=ResultStatusDetail}, {Value=Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1, Name=UserAgent}, {Value=SAS:EndAuth, Name=RequestType}], IntraSystemId=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, Target=[{Type=0, ID=00000002-0000-0ff1-ce00-000000000000}], RecordType=15, Version=1, SupportTicketId=, Actor=[{Type=0, ID=3e399962-2dcb-4f8a-b859-65d7d5933496}], DeviceProperties=[{Value=Ios, Name=OS}, {Value=Safari, Name=BrowserType}], ActorContextId=99999999-9999-9999-9999-9999999999, ResultStatus=Success, ObjectId=00000002-0000-0ff1-ce00-000000000000, ErrorNumber=0, ClientIP=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Workload=AzureActiveDirectory, UserId=Not Available, TargetContextId=99999999-9999-9999-9999-9999999999, CreationTime=2024-09-25T09:08:06, InterSystemsId=e270bb9a-86ac-971a-586d-9a35f66c0979, Id=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, ApplicationId=00000002-0000-0ff1-ce00-000000000000, UserType=4}"
],
"user.id": [
"Not Available"
],
"o365.audit.ExtendedProperties.ResultStatusDetail": [
"Success"
],
"input.type": [
"cel"
],
"client.ip": [
"2a01:1812:1435:3a00:7878:bc52:41f2:56f4"
],
"user_agent.name": [
"Mobile Safari"
],
"data_stream.type": [
"logs"
],
"o365.audit.ObjectId": [
"00000002-0000-0ff1-ce00-000000000000"
],
"tags": [
"preserve_original_event",
"forwarded",
"o365-cel"
],
"event.provider": [
"AzureActiveDirectory"
],
"event.code": [
"AzureActiveDirectoryStsLogon"
],
"agent.id": [
"122e2782-81d0-447d-bfef-34dc2c293c6e"
],
"o365.audit.AzureActiveDirectoryEventType": [
"1"
],
"ecs.version": [
"8.11.0"
],
"o365.audit.RecordType": [
"15"
],
"organization.id": [
"99999999-9999-9999-9999-9999999999"
],
"agent.version": [
"8.14.3"
],
"o365.audit.ActorContextId": [
"99999999-9999-9999-9999-9999999999"
],
"source.as.number": [
6848
],
"o365.audit.ErrorNumber": [
"0"
],
"o365.audit.CreationTime": [
"2024-09-25T09:08:06"
],
"user_agent.os.full": [
"iOS 16.7.8"
],
"source.geo.location": [
{
"coordinates": [
3.7206,
51.047
],
"type": "Point"
}
],
"o365.audit.UserKey": [
"3e399962-2dcb-4f8a-b859-65d7d5933496"
],
"user_agent.os.name.text": [
"iOS"
],
"o365.audit.Version": [
"1"
],
"user_agent.os.name": [
"iOS"
],
"agent.type": [
"filebeat"
],
"event.module": [
"o365"
],
"related.ip": [
"2a01:1812:1435:3a00:7878:bc52:41f2:56f4"
],
"source.geo.country_iso_code": [
"BE"
],
"elastic_agent.snapshot": [
false
],
"o365.audit.InterSystemsId": [
"e270bb9a-86ac-971a-586d-9a35f66c0979"
],
"host.id": [
"99999999-9999-9999-9999-9999999999"
],
"network.type": [
"ipv6"
],
"source.as.organization.name.text": [
"Telenet BV"
],
"o365.audit.Target.Type": [
"0"
],
"elastic_agent.id": [
"122e2782-81d0-447d-bfef-34dc2c293c6e"
],
"data_stream.namespace": [
"default"
],
"o365.audit.IntraSystemId": [
"b3d78cbd-9c69-4a1e-ad80-84302e3d6e00"
],
"o365.audit.ActorIpAddress": [
"2a01:1812:1435:3a00:7878:bc52:41f2:56f4"
],
"source.as.organization.name": [
"Telenet BV"
],
"source.geo.continent_name": [
"Europe"
],
"o365.audit.ExtendedProperties.RequestType": [
"SAS:EndAuth"
],
"o365.audit.Target.ID": [
"00000002-0000-0ff1-ce00-000000000000"
],
"o365.audit.UserType": [
"4"
],
"user_agent.device.name.text": [
"iPhone"
],
"user_agent.os.full.text": [
"iOS 16.7.8"
],
"event.action": [
"UserLoggedIn"
],
"event.ingested": [
"2024-09-25T09:15:46Z"
],
"o365.audit.ResultStatus": [
"Success"
],
"@timestamp": [
"2024-09-25T09:08:06.000Z"
],
"user_agent.name.text": [
"Mobile Safari"
],
"data_stream.dataset": [
"o365.audit"
],
"event.type": [
"info",
"start",
"access"
],
"agent.ephemeral_id": [
"71ba93f0-e1ca-44b7-8f78-ff120cce8729"
],
"o365.audit.DeviceProperties.Value": [
"Ios",
"Safari"
],
"event.id": [
"b3d78cbd-9c69-4a1e-ad80-84302e3d6e00"
],
"source.geo.country_name": [
"Belgium"
],
"user_agent.device.name": [
"iPhone"
],
"event.dataset": [
"o365.audit"
],
"o365.audit.Actor.ID": [
"3e399962-2dcb-4f8a-b859-65d7d5933496"
]
}
}
The text was updated successfully, but these errors were encountered: