From b73129fddf89b6b755ca879469b9b31d15396e31 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Wed, 15 Jan 2025 18:57:50 +0400 Subject: [PATCH 1/2] Fix: Microsoft Intune Warning --- Microsoft/microsoft-intune/ingest/parser.yml | 30 ++++++++++--------- .../microsoft-intune/tests/Warning1.json | 15 ++++++++++ .../microsoft-intune/tests/Warning2.json | 15 ++++++++++ 3 files changed, 46 insertions(+), 14 deletions(-) create mode 100644 Microsoft/microsoft-intune/tests/Warning1.json create mode 100644 Microsoft/microsoft-intune/tests/Warning2.json diff --git a/Microsoft/microsoft-intune/ingest/parser.yml b/Microsoft/microsoft-intune/ingest/parser.yml index 18825b70f..f191ea53d 100644 --- a/Microsoft/microsoft-intune/ingest/parser.yml +++ b/Microsoft/microsoft-intune/ingest/parser.yml @@ -9,7 +9,9 @@ pipeline: properties: input_field: "{{json_event.message.time}}" output_field: datetime + - name: set_common_fields + filter: "{{json_event.message.category not in ['MicrosoftGraphActivityLogs', 'NonInteractiveUserSignInLogs']}}" stages: set_common_fields: @@ -21,28 +23,28 @@ stages: action.target: "user" action.type: "{{json_event.message.category}}" event.type: ["info"] + microsoft.intune.compliant_state: "{{json_event.message.properties.CompliantState}}" host.id: "{{json_event.message.properties.DeviceId}}" - - set: - host.mac: ["{{json_event.message.properties.WifiMacAddress}}"] - filter: "{{json_event.message.properties.WifiMacAddress != null}}" - - set: host.name: "{{json_event.message.properties.DeviceHostName}}" - - set: - host.name: "{{json_event.message.properties.DeviceName or json_event.message.properties.ManagedDeviceName}}" - filter: "{{final.host.name == null}}" - - set: host.type: "{{json_event.message.properties.Model}}" - microsoft.intune.compliant_state: "{{json_event.message.properties.CompliantState}}" - network.application: "{{json_event.message.ApplicationName}}" host.os.full: "{{json_event.message.properties.OS}}" host.os.version: "{{json_event.message.properties.OSVersion}}" + network.application: "{{json_event.message.ApplicationName}}" service.name: "{{json_event.message.properties.ManagedBy}}" - - set: - source.ip: "{{json_event.message.actor.ipAddress}}" - filter: "{{json_event.message.actor.ipAddress | is_ipaddress}}" - - set: source.mac: "{{json_event.message.properties.WifiMacAddress}}" user.email: "{{json_event.message.properties.UserEmail}}" user.id: "{{json_event.message.properties.IntuneAccountId}}" user.name: "{{json_event.message.properties.UserName or json_event.message.properties.Actor.UPN}}" user.roles: "{{json_event.message.properties.Actor.UserPermissions}}" + + - set: + host.mac: ["{{json_event.message.properties.WifiMacAddress}}"] + filter: "{{json_event.message.properties.WifiMacAddress != null}}" + + - set: + host.name: "{{json_event.message.properties.DeviceName or json_event.message.properties.ManagedDeviceName}}" + filter: "{{final.host.name == null}}" + + - set: + source.ip: "{{json_event.message.actor.ipAddress}}" + filter: "{{json_event.message.actor.ipAddress | is_ipaddress}}" diff --git a/Microsoft/microsoft-intune/tests/Warning1.json b/Microsoft/microsoft-intune/tests/Warning1.json new file mode 100644 index 000000000..2e19b3e0b --- /dev/null +++ b/Microsoft/microsoft-intune/tests/Warning1.json @@ -0,0 +1,15 @@ +{ + "input": { + "message": "{\"time\":\"2025-01-08T13:56:29.0164321Z\",\"resourceId\":\"/TENANTS/XXXXXXX-XXX-XXXXXXX-XXXXX/PROVIDERS/MICROSOFT.AADIAM\",\"operationName\":\"Microsoft Graph Activity\",\"operationVersion\":\"beta\",\"category\":\"MicrosoftGraphActivityLogs\",\"resultSignature\":\"200\",\"durationMs\":\"305512\",\"callerIpAddress\":\"1.2.3.4\",\"correlationId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"level\":\"Informational\",\"location\":\"Central US\",\"properties\":{\"__UDI_RequiredFields_TenantId\":\"XXXXXXX-XXX-XXXXXXX-XXXXX\",\"__UDI_RequiredFields_UniqueId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"__UDI_RequiredFields_EventTime\":638719413890000000,\"__UDI_RequiredFields_RegionScope\":\"NA\",\"timeGenerated\":\"2025-01-08T13:56:29.0164321Z\",\"location\":\"Central US\",\"requestId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"operationId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"clientRequestId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"apiVersion\":\"beta\",\"requestMethod\":\"GET\",\"responseStatusCode\":200,\"tenantId\":\"XXXXXXX-XXX-XXXXXXX-XXXXX\",\"durationMs\":305512,\"responseSizeBytes\":1398,\"signInActivityId\":\"Xxxxxxxxx\",\"roles\":\"Directory.Read.All EduRoster.Read.All EduRoster.ReadWrite.All Group.ReadWrite.All MultiTenantOrganization.Read.All OnlineMeetings.Read.All Organization.Read.All Policy.Read.All ProfilePhoto.Read.All Sites.ReadWrite.All TeamsActivity.Send TeamsAppInstallation.ReadForChat.All TeamsAppInstallation.ReadForTeam.All TeamsAppInstallation.ReadForUser.All User.Invite.All User.Read.All\",\"appId\":\"appxxxxxxxxxxxxxxxxxxxxx\",\"UserPrincipalObjectID\":\"xxxxxxxxxxxxxxx\",\"scopes\":\"\",\"identityProvider\":\"https://sts.windows.net/XXXXXXX-XXX-XXXXXXX-XXXXX/\",\"clientAuthMethod\":\"2\",\"wids\":\"widsxxxxxxxxxxxxx\",\"C_Idtyp\":\"app\",\"C_Iat\":\"1736317474\",\"ipAddress\":\"1.2.3.4\",\"userAgent\":\"TeamsMiddleTier/1.0a$*+\",\"requestUri\":\"https://graph.microsoft.com/beta/XXXXXXX-XXX-XXXXXXX-XXXXX/settings\",\"atContentP\":\"\",\"atContentH\":\"\",\"servicePrincipalId\":\"xxxxxxxxxxxxxxx\",\"tokenIssuedAt\":\"2025-01-08T06:24:34.0000000Z\"},\"tenantId\":\"XXXXXXX-XXX-XXXXXXX-XXXXX\"}" + }, + "expected": { + "message": "{\"time\":\"2025-01-08T13:56:29.0164321Z\",\"resourceId\":\"/TENANTS/XXXXXXX-XXX-XXXXXXX-XXXXX/PROVIDERS/MICROSOFT.AADIAM\",\"operationName\":\"Microsoft Graph Activity\",\"operationVersion\":\"beta\",\"category\":\"MicrosoftGraphActivityLogs\",\"resultSignature\":\"200\",\"durationMs\":\"305512\",\"callerIpAddress\":\"1.2.3.4\",\"correlationId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"level\":\"Informational\",\"location\":\"Central US\",\"properties\":{\"__UDI_RequiredFields_TenantId\":\"XXXXXXX-XXX-XXXXXXX-XXXXX\",\"__UDI_RequiredFields_UniqueId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"__UDI_RequiredFields_EventTime\":638719413890000000,\"__UDI_RequiredFields_RegionScope\":\"NA\",\"timeGenerated\":\"2025-01-08T13:56:29.0164321Z\",\"location\":\"Central US\",\"requestId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"operationId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"clientRequestId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"apiVersion\":\"beta\",\"requestMethod\":\"GET\",\"responseStatusCode\":200,\"tenantId\":\"XXXXXXX-XXX-XXXXXXX-XXXXX\",\"durationMs\":305512,\"responseSizeBytes\":1398,\"signInActivityId\":\"Xxxxxxxxx\",\"roles\":\"Directory.Read.All EduRoster.Read.All EduRoster.ReadWrite.All Group.ReadWrite.All MultiTenantOrganization.Read.All OnlineMeetings.Read.All Organization.Read.All Policy.Read.All ProfilePhoto.Read.All Sites.ReadWrite.All TeamsActivity.Send TeamsAppInstallation.ReadForChat.All TeamsAppInstallation.ReadForTeam.All TeamsAppInstallation.ReadForUser.All User.Invite.All User.Read.All\",\"appId\":\"appxxxxxxxxxxxxxxxxxxxxx\",\"UserPrincipalObjectID\":\"xxxxxxxxxxxxxxx\",\"scopes\":\"\",\"identityProvider\":\"https://sts.windows.net/XXXXXXX-XXX-XXXXXXX-XXXXX/\",\"clientAuthMethod\":\"2\",\"wids\":\"widsxxxxxxxxxxxxx\",\"C_Idtyp\":\"app\",\"C_Iat\":\"1736317474\",\"ipAddress\":\"1.2.3.4\",\"userAgent\":\"TeamsMiddleTier/1.0a$*+\",\"requestUri\":\"https://graph.microsoft.com/beta/XXXXXXX-XXX-XXXXXXX-XXXXX/settings\",\"atContentP\":\"\",\"atContentH\":\"\",\"servicePrincipalId\":\"xxxxxxxxxxxxxxx\",\"tokenIssuedAt\":\"2025-01-08T06:24:34.0000000Z\"},\"tenantId\":\"XXXXXXX-XXX-XXXXXXX-XXXXX\"}", + "sekoiaio": { + "intake": { + "parsing_warnings": [ + "No fields extracted from original event" + ] + } + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-intune/tests/Warning2.json b/Microsoft/microsoft-intune/tests/Warning2.json new file mode 100644 index 000000000..542b2988e --- /dev/null +++ b/Microsoft/microsoft-intune/tests/Warning2.json @@ -0,0 +1,15 @@ +{ + "input": { + "message": "{\"time\":\"2025-01-08T14:00:51.6877532Z\",\"resourceId\":\"/tenants/xxxxx-xxxxx-xxxxxx-xxxxxx/providers/Microsoft.aadiam\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"category\":\"NonInteractiveUserSignInLogs\",\"tenantId\":\"xxxxx-xxxxx-xxxxxx-xxxxxx\",\"resultType\":\"0\",\"resultSignature\":\"None\",\"durationMs\":0,\"callerIpAddress\":\"1.2.3.5\",\"correlationId\":\"000-000-000-012123\",\"identity\":\"Test\",\"Level\":4,\"location\":\"FR\",\"properties\":{\"id\":\"xxx-xxx-xxx-xxx\",\"createdDateTime\":\"2025-01-08T13:59:10.0962652+00:00\",\"userDisplayName\":\"Test\",\"userPrincipalName\":\"test.test@test.com\",\"userId\":\"00000000000-0000-0000-0000-0000000000\",\"appId\":\"00000-0000-0000-0000-00000000000\",\"appDisplayName\":\"Microsoft Edge\",\"ipAddress\":\"1.2.3.5\",\"status\":{\"errorCode\":0},\"clientAppUsed\":\"Mobile Apps and Desktop clients\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045\",\"deviceDetail\":{\"deviceId\":\"deviceid\",\"displayName\":\"ORY2-EUD-D70007\",\"operatingSystem\":\"Windows10\",\"browser\":\"Edge 18.19045\",\"isCompliant\":true,\"isManaged\":true,\"trustType\":\"Hybrid Azure AD joined\"},\"location\":{\"city\":\"Aubervilliers\",\"state\":\"Seine-Saint-Denis\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.91482162475586,\"longitude\":2.3812100887298584}},\"correlationId\":\"000-000-000-012123\",\"conditionalAccessStatus\":\"success\",\"appliedConditionalAccessPolicies\":[{\"id\":\"aacab96d-2e38-4536-8f08-edd1520f9d28\",\"displayName\":\"User Only\",\"enforcedGrantControls\":[\"RequireInWeboMfa\"],\"enforcedSessionControls\":[\"ResiliencyDefaults\"],\"result\":\"success\",\"conditionsSatisfied\":7,\"conditionsNotSatisfied\":0},{\"id\":\"a3d82ad4-3be5-455f-9b76-1223dd4b3e4c\",\"displayName\":\"Admin_Access_Cloud_Apps\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[\"PersistentBrowserSessionMode\"],\"result\":\"notApplied\",\"conditionsSatisfied\":1,\"conditionsNotSatisfied\":2},{\"id\":\"32a2550d-dca7-4363-ae4c-b1210ba3eb15\",\"displayName\":\"Microsoft-managed: Multifactor authentication for admins accessing Microsoft Admin Portals\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"fd313848-6ab9-4443-abb5-e9e603124473\",\"displayName\":\"User Only Mobile\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"c88b0148-fbd1-41e0-a7ba-202237ae4c2e\",\"displayName\":\"SVC-Accounts-MFA-MS\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"98517482-7ec9-4c45-837d-bc0ecd35eeed\",\"displayName\":\"[SharePoint admin center]Use app-enforced Restrictions for browser access - 2024/08/23\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"eafcade5-ed5e-4e4a-9e28-cf29168b5d65\",\"displayName\":\"[SharePoint admin center]Block access from apps on unmanaged devices - 2024/08/27\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"a3f2f310-8ab5-432e-a1d9-1e0580de47b1\",\"displayName\":\"[SharePoint admin center]Use app-enforced Restrictions for browser access - 2024/08/27\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"8e649830-3abb-4bf7-80c5-8e32edfc3ccc\",\"displayName\":\"[SharePoint admin center]Block access from apps on unmanaged devices - 2024/08/27\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"297d9858-e260-4d98-9ce7-b7af3b3d678e\",\"displayName\":\"BlockNonAdminListUsers\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"result\":\"notApplied\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":1},{\"id\":\"46a22b41-d774-4929-aa86-d360ac806bcf\",\"displayName\":\"Require compliant or hybrid Azure AD joined device or multifactor authentication for all users\",\"enforcedGrantControls\":[\"RequireCompliantDevice\"],\"enforcedSessionControls\":[],\"result\":\"reportOnlySuccess\",\"conditionsSatisfied\":3,\"conditionsNotSatisfied\":0}],\"authenticationContextClassReferences\":[],\"originalRequestId\":\"xxx-xxx-xxx-xxx\",\"isInteractive\":false,\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"authenticationProcessingDetails\":[{\"key\":\"Legacy TLS (TLS 1.0, 1.1, 3DES)\",\"value\":\"False\"},{\"key\":\"Oauth Scope Info\",\"value\":\"[\\\"Files.ReadWrite\\\",\\\"Files.ReadWrite.All\\\",\\\"Notes.Create\\\",\\\"Notes.ReadWrite\\\",\\\"Notes.ReadWrite.All\\\",\\\"People.Read\\\",\\\"profile\\\",\\\"User.Read\\\",\\\"User.ReadBasic.All\\\"]\"},{\"key\":\"Is CAE Token\",\"value\":\"False\"}],\"networkLocationDetails\":[{\"networkType\":\"namedNetwork\",\"networkNames\":[\"Everaxis FR\"]},{\"networkType\":\"trustedNamedLocation\",\"networkNames\":[\"Everaxis Internal\"]}],\"clientCredentialType\":\"none\",\"processingTimeInMilliseconds\":94,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"riskEventTypes\":[],\"riskEventTypes_v2\":[],\"resourceDisplayName\":\"Microsoft Graph\",\"resourceId\":\"00000003-0000-0000-c000-000000000000\",\"resourceTenantId\":\"xxxxx-xxxxx-xxxxxx-xxxxxx\",\"homeTenantId\":\"xxxxx-xxxxx-xxxxxx-xxxxxx\",\"tenantId\":\"xxxxx-xxxxx-xxxxxx-xxxxxx\",\"authenticationDetails\":[],\"authenticationRequirementPolicies\":[],\"sessionLifetimePolicies\":[],\"authenticationRequirement\":\"singleFactorAuthentication\",\"servicePrincipalId\":\"\",\"userType\":\"Member\",\"flaggedForReview\":false,\"isTenantRestricted\":false,\"autonomousSystemNumber\":3215,\"crossTenantAccessType\":\"none\",\"privateLinkDetails\":{},\"ssoExtensionVersion\":\"\",\"uniqueTokenIdentifier\":\"uidtokenxxxxxxx\",\"authenticationStrengths\":[],\"incomingTokenType\":\"primaryRefreshToken\",\"authenticationProtocol\":\"none\",\"appServicePrincipalId\":null,\"resourceServicePrincipalId\":\"xxxxx-xxxxx-xxxxx-xxxxx\",\"rngcStatus\":0,\"signInTokenProtectionStatus\":\"none\",\"tokenProtectionStatusDetails\":{\"signInSessionStatus\":\"bound\",\"signInSessionStatusCode\":0},\"originalTransferMethod\":\"none\",\"isThroughGlobalSecureAccess\":false,\"conditionalAccessAudiences\":[{\"applicationId\":\"00000003-0000-0000-0000-000000000000\",\"audienceReasons\":\"none\"},{\"applicationId\":\"0000000000-0000-0000-0000-000000000\",\"audienceReasons\":\"none\"},{\"applicationId\":\"00000002-0000-0000-c000-000000000000\",\"audienceReasons\":\"none\"}],\"sessionId\":\"xxxxx-0000-0000-00000-000000xxxxxx\"}}" + }, + "expected": { + "message": "{\"time\":\"2025-01-08T14:00:51.6877532Z\",\"resourceId\":\"/tenants/xxxxx-xxxxx-xxxxxx-xxxxxx/providers/Microsoft.aadiam\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"category\":\"NonInteractiveUserSignInLogs\",\"tenantId\":\"xxxxx-xxxxx-xxxxxx-xxxxxx\",\"resultType\":\"0\",\"resultSignature\":\"None\",\"durationMs\":0,\"callerIpAddress\":\"1.2.3.5\",\"correlationId\":\"000-000-000-012123\",\"identity\":\"Test\",\"Level\":4,\"location\":\"FR\",\"properties\":{\"id\":\"xxx-xxx-xxx-xxx\",\"createdDateTime\":\"2025-01-08T13:59:10.0962652+00:00\",\"userDisplayName\":\"Test\",\"userPrincipalName\":\"test.test@test.com\",\"userId\":\"00000000000-0000-0000-0000-0000000000\",\"appId\":\"00000-0000-0000-0000-00000000000\",\"appDisplayName\":\"Microsoft Edge\",\"ipAddress\":\"1.2.3.5\",\"status\":{\"errorCode\":0},\"clientAppUsed\":\"Mobile Apps and Desktop clients\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045\",\"deviceDetail\":{\"deviceId\":\"deviceid\",\"displayName\":\"ORY2-EUD-D70007\",\"operatingSystem\":\"Windows10\",\"browser\":\"Edge 18.19045\",\"isCompliant\":true,\"isManaged\":true,\"trustType\":\"Hybrid Azure AD joined\"},\"location\":{\"city\":\"Aubervilliers\",\"state\":\"Seine-Saint-Denis\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.91482162475586,\"longitude\":2.3812100887298584}},\"correlationId\":\"000-000-000-012123\",\"conditionalAccessStatus\":\"success\",\"appliedConditionalAccessPolicies\":[{\"id\":\"aacab96d-2e38-4536-8f08-edd1520f9d28\",\"displayName\":\"User Only\",\"enforcedGrantControls\":[\"RequireInWeboMfa\"],\"enforcedSessionControls\":[\"ResiliencyDefaults\"],\"result\":\"success\",\"conditionsSatisfied\":7,\"conditionsNotSatisfied\":0},{\"id\":\"a3d82ad4-3be5-455f-9b76-1223dd4b3e4c\",\"displayName\":\"Admin_Access_Cloud_Apps\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[\"PersistentBrowserSessionMode\"],\"result\":\"notApplied\",\"conditionsSatisfied\":1,\"conditionsNotSatisfied\":2},{\"id\":\"32a2550d-dca7-4363-ae4c-b1210ba3eb15\",\"displayName\":\"Microsoft-managed: Multifactor authentication for admins accessing Microsoft Admin Portals\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"fd313848-6ab9-4443-abb5-e9e603124473\",\"displayName\":\"User Only Mobile\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"c88b0148-fbd1-41e0-a7ba-202237ae4c2e\",\"displayName\":\"SVC-Accounts-MFA-MS\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"98517482-7ec9-4c45-837d-bc0ecd35eeed\",\"displayName\":\"[SharePoint admin center]Use app-enforced Restrictions for browser access - 2024/08/23\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"eafcade5-ed5e-4e4a-9e28-cf29168b5d65\",\"displayName\":\"[SharePoint admin center]Block access from apps on unmanaged devices - 2024/08/27\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"a3f2f310-8ab5-432e-a1d9-1e0580de47b1\",\"displayName\":\"[SharePoint admin center]Use app-enforced Restrictions for browser access - 2024/08/27\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"8e649830-3abb-4bf7-80c5-8e32edfc3ccc\",\"displayName\":\"[SharePoint admin center]Block access from apps on unmanaged devices - 2024/08/27\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"297d9858-e260-4d98-9ce7-b7af3b3d678e\",\"displayName\":\"BlockNonAdminListUsers\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"result\":\"notApplied\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":1},{\"id\":\"46a22b41-d774-4929-aa86-d360ac806bcf\",\"displayName\":\"Require compliant or hybrid Azure AD joined device or multifactor authentication for all users\",\"enforcedGrantControls\":[\"RequireCompliantDevice\"],\"enforcedSessionControls\":[],\"result\":\"reportOnlySuccess\",\"conditionsSatisfied\":3,\"conditionsNotSatisfied\":0}],\"authenticationContextClassReferences\":[],\"originalRequestId\":\"xxx-xxx-xxx-xxx\",\"isInteractive\":false,\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"authenticationProcessingDetails\":[{\"key\":\"Legacy TLS (TLS 1.0, 1.1, 3DES)\",\"value\":\"False\"},{\"key\":\"Oauth Scope Info\",\"value\":\"[\\\"Files.ReadWrite\\\",\\\"Files.ReadWrite.All\\\",\\\"Notes.Create\\\",\\\"Notes.ReadWrite\\\",\\\"Notes.ReadWrite.All\\\",\\\"People.Read\\\",\\\"profile\\\",\\\"User.Read\\\",\\\"User.ReadBasic.All\\\"]\"},{\"key\":\"Is CAE Token\",\"value\":\"False\"}],\"networkLocationDetails\":[{\"networkType\":\"namedNetwork\",\"networkNames\":[\"Everaxis FR\"]},{\"networkType\":\"trustedNamedLocation\",\"networkNames\":[\"Everaxis Internal\"]}],\"clientCredentialType\":\"none\",\"processingTimeInMilliseconds\":94,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"riskEventTypes\":[],\"riskEventTypes_v2\":[],\"resourceDisplayName\":\"Microsoft Graph\",\"resourceId\":\"00000003-0000-0000-c000-000000000000\",\"resourceTenantId\":\"xxxxx-xxxxx-xxxxxx-xxxxxx\",\"homeTenantId\":\"xxxxx-xxxxx-xxxxxx-xxxxxx\",\"tenantId\":\"xxxxx-xxxxx-xxxxxx-xxxxxx\",\"authenticationDetails\":[],\"authenticationRequirementPolicies\":[],\"sessionLifetimePolicies\":[],\"authenticationRequirement\":\"singleFactorAuthentication\",\"servicePrincipalId\":\"\",\"userType\":\"Member\",\"flaggedForReview\":false,\"isTenantRestricted\":false,\"autonomousSystemNumber\":3215,\"crossTenantAccessType\":\"none\",\"privateLinkDetails\":{},\"ssoExtensionVersion\":\"\",\"uniqueTokenIdentifier\":\"uidtokenxxxxxxx\",\"authenticationStrengths\":[],\"incomingTokenType\":\"primaryRefreshToken\",\"authenticationProtocol\":\"none\",\"appServicePrincipalId\":null,\"resourceServicePrincipalId\":\"xxxxx-xxxxx-xxxxx-xxxxx\",\"rngcStatus\":0,\"signInTokenProtectionStatus\":\"none\",\"tokenProtectionStatusDetails\":{\"signInSessionStatus\":\"bound\",\"signInSessionStatusCode\":0},\"originalTransferMethod\":\"none\",\"isThroughGlobalSecureAccess\":false,\"conditionalAccessAudiences\":[{\"applicationId\":\"00000003-0000-0000-0000-000000000000\",\"audienceReasons\":\"none\"},{\"applicationId\":\"0000000000-0000-0000-0000-000000000\",\"audienceReasons\":\"none\"},{\"applicationId\":\"00000002-0000-0000-c000-000000000000\",\"audienceReasons\":\"none\"}],\"sessionId\":\"xxxxx-0000-0000-00000-000000xxxxxx\"}}", + "sekoiaio": { + "intake": { + "parsing_warnings": [ + "No fields extracted from original event" + ] + } + } + } +} \ No newline at end of file From ad4e6900dbb793b24cf27fa1961d12ab84894c53 Mon Sep 17 00:00:00 2001 From: vg-svitla <131353512+vg-svitla@users.noreply.github.com> Date: Tue, 21 Jan 2025 18:10:35 +0400 Subject: [PATCH 2/2] Update Microsoft/microsoft-intune/ingest/parser.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- Microsoft/microsoft-intune/ingest/parser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Microsoft/microsoft-intune/ingest/parser.yml b/Microsoft/microsoft-intune/ingest/parser.yml index f191ea53d..4bef605b6 100644 --- a/Microsoft/microsoft-intune/ingest/parser.yml +++ b/Microsoft/microsoft-intune/ingest/parser.yml @@ -11,7 +11,7 @@ pipeline: output_field: datetime - name: set_common_fields - filter: "{{json_event.message.category not in ['MicrosoftGraphActivityLogs', 'NonInteractiveUserSignInLogs']}}" + filter: "{{json_event.message.category in ['AuditLogs', 'DeviceComplianceOrg', 'Devices', 'OperationalLogs']}}" stages: set_common_fields: