Azure AD: change Level type from float to keyword

SEKOIA-IO · Dec 19, 2024 · c891621 · c891621
1 parent cf11456
commit c891621
Show file tree

Hide file tree

Showing 9 changed files with 105 additions and 8 deletions.
diff --git a/Azure/azure-ad/_meta/fields.yml b/Azure/azure-ad/_meta/fields.yml
@@ -13,7 +13,7 @@ action.target:
 azuread.Level:
   description: ''
   name: azuread.Level
-  type: long
+  type: keyword
 
 azuread.activityDateTime:
   description: ''

diff --git a/Azure/azure-ad/tests/empty_geolocalisation.json b/Azure/azure-ad/tests/empty_geolocalisation.json
@@ -19,7 +19,7 @@
       "outcome": "success"
     },
     "azuread": {
-      "Level": 4,
+      "Level": "4",
       "authenticationDetails": [
         {
           "RequestSequence": 1,

diff --git a/Azure/azure-ad/tests/sign-in_activity.json b/Azure/azure-ad/tests/sign-in_activity.json
@@ -20,7 +20,7 @@
       "outcome": "failure"
     },
     "azuread": {
-      "Level": 4,
+      "Level": "4",
       "authenticationDetails": [
         {
           "RequestSequence": 0,

diff --git a/Azure/azure-ad/tests/sign-in_activity2.json b/Azure/azure-ad/tests/sign-in_activity2.json
@@ -19,7 +19,7 @@
       "outcome": "success"
     },
     "azuread": {
-      "Level": 4,
+      "Level": "4",
       "authenticationDetails": [
         {
           "RequestSequence": 0,

diff --git a/Azure/azure-ad/tests/sign-in_activity3.json b/Azure/azure-ad/tests/sign-in_activity3.json
@@ -19,7 +19,7 @@
       "outcome": "success"
     },
     "azuread": {
-      "Level": 4,
+      "Level": "4",
       "authenticationDetails": [
         {
           "RequestSequence": 1,

diff --git a/Azure/azure-ad/tests/sign-in_activity4.json b/Azure/azure-ad/tests/sign-in_activity4.json
@@ -19,7 +19,7 @@
       "outcome": "success"
     },
     "azuread": {
-      "Level": 4,
+      "Level": "4",
       "authenticationDetails": [],
       "callerIpAddress": "11.11.11.11",
       "category": "SignInLogs",

diff --git a/Azure/azure-ad/tests/user_risk_detection.json b/Azure/azure-ad/tests/user_risk_detection.json
@@ -18,7 +18,7 @@
       "name": "User Risk Detection"
     },
     "azuread": {
-      "Level": 4,
+      "Level": "4",
       "callerIpAddress": "11.22.33.44",
       "category": "UserRiskEvents",
       "correlationId": "ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080",

diff --git a/Azure/azure-ad/tests/user_risk_detection_2.json b/Azure/azure-ad/tests/user_risk_detection_2.json
@@ -24,7 +24,7 @@
       "name": "User Risk Detection"
     },
     "azuread": {
-      "Level": 4,
+      "Level": "4",
       "callerIpAddress": "11.22.33.44",
       "category": "UserRiskEvents",
       "correlationId": "ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080",

diff --git a/Azure/azure-ad/tests/user_risk_detection_3.json b/Azure/azure-ad/tests/user_risk_detection_3.json
@@ -0,0 +1,97 @@
+{
+  "input": {
+    "message": "{\"time\":\"12/13/2024 4:34:03 PM\",\"resourceId\":\"/tenants/92ab70e5-4447-4589-8725-97ab98960655/providers/microsoft.aadiam\",\"operationName\":\"User Risk Detection\",\"operationVersion\":\"1.0\",\"category\":\"UserRiskEvents\",\"tenantId\":\"92ab70e5-4447-4589-8725-97ab98960655\",\"resultSignature\":\"None\",\"durationMs\":0,\"callerIpAddress\":\"1.2.3.4\",\"correlationId\":\"0282dcdb9dd84498fb7d4cf8eaa9137b34129c85296c8411bf2bf15c76005cbd\",\"identity\":\"doe john\",\"Level\":\"Information\",\"location\":\"fr\",\"properties\":{\"id\":\"0282dcdb9dd84498fb7d4cf8eaa9137b34129c85296c8411bf2bf15c76005cbd\",\"requestId\":\"baf81a45-d330-4175-a76f-a5a7ae854e00\",\"correlationId\":\"50d29047-ad58-49b7-9410-589167ebf66c\",\"riskType\":\"unfamiliarFeatures\",\"riskEventType\":\"unfamiliarFeatures\",\"riskState\":\"dismissed\",\"riskLevel\":\"low\",\"riskDetail\":\"aiConfirmedSigninSafe\",\"source\":\"IdentityProtection\",\"detectionTimingType\":\"realtime\",\"activity\":\"signin\",\"ipAddress\":\"1.2.3.4\",\"location\":{\"city\":\"Rennes\",\"state\":\"Bretagne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"altitude\":0.0,\"latitude\":0.0,\"longitude\":0.0}},\"activityDateTime\":\"2024-12-13T16:31:49.945Z\",\"detectedDateTime\":\"2024-12-13T16:31:49.945Z\",\"lastUpdatedDateTime\":\"2024-12-13T16:34:03.966Z\",\"userId\":\"cf8068b2-9adf-4060-960a-46f7f7a5d1c7\",\"userDisplayName\":\"DOE John\",\"userPrincipalName\":\"[email protected]\",\"additionalInfo\":\"[{\\\"Key\\\":\\\"riskReasons\\\",\\\"Value\\\":[\\\"UnfamiliarBrowser\\\",\\\"UnfamiliarDevice\\\",\\\"UnfamiliarIP\\\",\\\"UnfamiliarLocation\\\",\\\"UnfamiliarEASId\\\",\\\"UnfamiliarTenantIPsubnet\\\"]},{\\\"Key\\\":\\\"userAgent\\\",\\\"Value\\\":\\\"Mozilla/5.0 (Linux; Android 14; SM-S911B Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/131.0.6778.105 Mobile Safari/537.36 PKeyAuth/1.0\\\"},{\\\"Key\\\":\\\"alertUrl\\\",\\\"Value\\\":null},{\\\"Key\\\":\\\"mitreTechniques\\\",\\\"Value\\\":\\\"T1078.004\\\"}]\",\"tokenIssuerType\":\"AzureAD\",\"resourceTenantId\":null,\"homeTenantId\":\"92ab70e5-4447-4589-8725-97ab98960655\",\"userType\":\"member\",\"crossTenantAccessType\":\"none\",\"mitreTechniqueId\":\"T1078.004\"}}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft Entra ID / Azure AD",
+        "dialect_uuid": "19cd2ed6-f90c-47f7-a46b-974354a107bb"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"time\":\"12/13/2024 4:34:03 PM\",\"resourceId\":\"/tenants/92ab70e5-4447-4589-8725-97ab98960655/providers/microsoft.aadiam\",\"operationName\":\"User Risk Detection\",\"operationVersion\":\"1.0\",\"category\":\"UserRiskEvents\",\"tenantId\":\"92ab70e5-4447-4589-8725-97ab98960655\",\"resultSignature\":\"None\",\"durationMs\":0,\"callerIpAddress\":\"1.2.3.4\",\"correlationId\":\"0282dcdb9dd84498fb7d4cf8eaa9137b34129c85296c8411bf2bf15c76005cbd\",\"identity\":\"doe john\",\"Level\":\"Information\",\"location\":\"fr\",\"properties\":{\"id\":\"0282dcdb9dd84498fb7d4cf8eaa9137b34129c85296c8411bf2bf15c76005cbd\",\"requestId\":\"baf81a45-d330-4175-a76f-a5a7ae854e00\",\"correlationId\":\"50d29047-ad58-49b7-9410-589167ebf66c\",\"riskType\":\"unfamiliarFeatures\",\"riskEventType\":\"unfamiliarFeatures\",\"riskState\":\"dismissed\",\"riskLevel\":\"low\",\"riskDetail\":\"aiConfirmedSigninSafe\",\"source\":\"IdentityProtection\",\"detectionTimingType\":\"realtime\",\"activity\":\"signin\",\"ipAddress\":\"1.2.3.4\",\"location\":{\"city\":\"Rennes\",\"state\":\"Bretagne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"altitude\":0.0,\"latitude\":0.0,\"longitude\":0.0}},\"activityDateTime\":\"2024-12-13T16:31:49.945Z\",\"detectedDateTime\":\"2024-12-13T16:31:49.945Z\",\"lastUpdatedDateTime\":\"2024-12-13T16:34:03.966Z\",\"userId\":\"cf8068b2-9adf-4060-960a-46f7f7a5d1c7\",\"userDisplayName\":\"DOE John\",\"userPrincipalName\":\"[email protected]\",\"additionalInfo\":\"[{\\\"Key\\\":\\\"riskReasons\\\",\\\"Value\\\":[\\\"UnfamiliarBrowser\\\",\\\"UnfamiliarDevice\\\",\\\"UnfamiliarIP\\\",\\\"UnfamiliarLocation\\\",\\\"UnfamiliarEASId\\\",\\\"UnfamiliarTenantIPsubnet\\\"]},{\\\"Key\\\":\\\"userAgent\\\",\\\"Value\\\":\\\"Mozilla/5.0 (Linux; Android 14; SM-S911B Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/131.0.6778.105 Mobile Safari/537.36 PKeyAuth/1.0\\\"},{\\\"Key\\\":\\\"alertUrl\\\",\\\"Value\\\":null},{\\\"Key\\\":\\\"mitreTechniques\\\",\\\"Value\\\":\\\"T1078.004\\\"}]\",\"tokenIssuerType\":\"AzureAD\",\"resourceTenantId\":null,\"homeTenantId\":\"92ab70e5-4447-4589-8725-97ab98960655\",\"userType\":\"member\",\"crossTenantAccessType\":\"none\",\"mitreTechniqueId\":\"T1078.004\"}}",
+    "event": {
+      "category": [
+        "iam"
+      ],
+      "reason": "unfamiliarFeatures",
+      "type": [
+        "connection"
+      ]
+    },
+    "@timestamp": "2024-12-13T16:34:03Z",
+    "action": {
+      "name": "User Risk Detection"
+    },
+    "azuread": {
+      "Level": "Information",
+      "callerIpAddress": "1.2.3.4",
+      "category": "UserRiskEvents",
+      "correlationId": "0282dcdb9dd84498fb7d4cf8eaa9137b34129c85296c8411bf2bf15c76005cbd",
+      "durationMs": 0,
+      "identity": "doe john",
+      "operationName": "User Risk Detection",
+      "operationVersion": "1.0",
+      "properties": {
+        "activity": "signin",
+        "correlationId": "50d29047-ad58-49b7-9410-589167ebf66c",
+        "detectionTimingType": "realtime",
+        "id": "0282dcdb9dd84498fb7d4cf8eaa9137b34129c85296c8411bf2bf15c76005cbd",
+        "requestId": "baf81a45-d330-4175-a76f-a5a7ae854e00",
+        "riskDetail": "aiConfirmedSigninSafe",
+        "riskEventType": "unfamiliarFeatures",
+        "riskLevel": "low",
+        "riskReasons": [
+          "UnfamiliarBrowser",
+          "UnfamiliarDevice",
+          "UnfamiliarEASId",
+          "UnfamiliarIP",
+          "UnfamiliarLocation",
+          "UnfamiliarTenantIPsubnet"
+        ],
+        "riskState": "dismissed",
+        "source": "IdentityProtection"
+      },
+      "resourceId": "/tenants/92ab70e5-4447-4589-8725-97ab98960655/providers/microsoft.aadiam",
+      "tenantId": "92ab70e5-4447-4589-8725-97ab98960655"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "service": {
+      "name": "Azure Active Directory",
+      "type": "ldap"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "geo": {
+        "city_name": "Rennes",
+        "country_iso_code": "fr",
+        "location": {
+          "lat": 0.0,
+          "lon": 0.0
+        },
+        "region_name": "Bretagne"
+      },
+      "ip": "1.2.3.4"
+    },
+    "user": {
+      "email": "[email protected]",
+      "full_name": "DOE John"
+    },
+    "user_agent": {
+      "device": {
+        "name": "Samsung SM-S911B"
+      },
+      "name": "Chrome Mobile WebView",
+      "original": "Mozilla/5.0 (Linux; Android 14; SM-S911B Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/131.0.6778.105 Mobile Safari/537.36 PKeyAuth/1.0",
+      "os": {
+        "name": "Android",
+        "version": "14"
+      },
+      "version": "131.0.6778"
+    }
+  }
+}