-
Notifications
You must be signed in to change notification settings - Fork 3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
4968bf7
commit 93bf268
Showing
1 changed file
with
127 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,127 @@ | ||
[ | ||
{ | ||
"TenantId": "00000000-0000-0000-0000-000000000000", | ||
"SourceSystem": "RestAPI", | ||
"TimeGenerated [UTC]": "7/30/2023, 7:19:16.731 PM", | ||
"Computer": "", | ||
"RawData": "", | ||
"report_time_t [UTC]": "7/30/2023, 7:19:15.361 PM", | ||
"id_g": "00000000-0000-0000-0000-000000000001", | ||
"date_s": "7/30/2023", | ||
"receive_time_s": 1690744624, | ||
"alert_source_s": "sentinel", | ||
"raw_s": "{'custom_details': {}, 'earliest': '2023-07-16 19:12:00Z', 'entities': [{'$id': '3', 'Name': 'Partner-Integration', 'Type': 'account'}], 'incident_id': 550, 'latest': '2023-07-30 19:12:01Z'}", | ||
"alert_name_s": "Service Principal Authentication Attempt from New Country", | ||
"parsed_s": "{'earliest': '2023-07-16 19:12:00Z', 'entities': [{'$id': '3', 'Name': 'Partner-Integration', 'Type': 'account'}], 'incident_id': 550, 'latest': '2023-07-30 19:12:01Z', 'account': ['Partner-Integration'], 'alert_name': 'Service Principal Authentication Attempt from New Country'}", | ||
"context_s": "{'action': ['authentication'], 'account': ['shared_access_key']}", | ||
"actions_s": "['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922']", | ||
"prediction_s": [ | ||
0.8330117799341679, | ||
0.8330117799341679 | ||
], | ||
"updated_by_s": [], | ||
"incident_s": 1, | ||
"source_s": "Salem", | ||
"Type": "SalemAlerts_CL" | ||
}, | ||
{ | ||
"TenantId": "00000000-0000-0000-0000-000000000002", | ||
"SourceSystem": "RestAPI", | ||
"TimeGenerated [UTC]": "7/27/2023, 11:13:26.097 AM", | ||
"Computer": "", | ||
"RawData": "", | ||
"report_time_t [UTC]": "7/27/2023, 11:13:24.722 AM", | ||
"id_g": "00000000-0000-0000-0000-000000000003", | ||
"date_s": "7/27/2023", | ||
"receive_time_s": 1690456295, | ||
"alert_source_s": "sentinel", | ||
"raw_s": "{'custom_details': {'app': ['Miro'], 'account': ['[email protected]'], 'result': ['50074'], 'description': ['Strong Authentication is required.']}, 'earliest': '2023-07-26 11:06:30Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'Type': 'account'}, {'$id': '4', 'Address': '2600:0000:0000:0000:0000:0000:0000:f0e1', 'Type': 'ip'}], 'incident_id': 543, 'latest': '2023-07-27 11:06:31Z'}", | ||
"alert_name_s": "Successful logon from IP and failure from a different IP", | ||
"parsed_s": "{'custom_details__app': ['Miro'], 'custom_details__account': ['[email protected]'], 'custom_details__result': ['50074'], 'custom_details__description': ['Strong Authentication is required.'], 'earliest': '2023-07-26 11:06:30Z', 'entities': [{'$id': '3', 'Name': jan.bragg', 'UPNSuffix': 'example.com', 'Type': 'account'}, {'$id': '4', 'Address': '2600:0000:0000:0000:0000:0000:0000:f0e1', 'Type': 'ip'}], 'incident_id': 543, 'latest': '2023-07-27 11:06:31Z', 'account': ['jan.bragg'], 'alert_name': 'Successful logon from IP and failure from a different IP'}", | ||
"context_s": "{'action': ['authentication'], 'dest': ['cloud_service'], 'program':['approved_program']}", | ||
"actions_s": "['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922', 'UserGen_action.failure_1680017671', 'UserGen_action.failure_1680099173', 'UserGen_action.failure_1680532569', 'UserGen_action.failure_1688659161']", | ||
"prediction_s": [ | ||
0.4487365037202835, | ||
0.2812345498983101 | ||
], | ||
"updated_by_s": [], | ||
"incident_s": 0, | ||
"source_s": "Salem", | ||
"Type": "SalemAlerts_CL" | ||
}, | ||
{ | ||
"TenantId": "00000000-0000-0000-0000-000000000003", | ||
"SourceSystem": "RestAPI", | ||
"TimeGenerated [UTC]": "7/27/2023, 7:35:38.856 PM", | ||
"Computer": "", | ||
"RawData": "", | ||
"report_time_t [UTC]": "7/27/2023, 7:35:37.094 PM", | ||
"id_g": "00000000-0000-0000-0000-000000000004", | ||
"date_s": "7/27/2023", | ||
"receive_time_s": 1690486413, | ||
"alert_source_s": "sentinel", | ||
"raw_s": "{'custom_details': {}, 'earliest': '2023-07-20 19:28:29Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': '[email protected]', 'Type': 'account'}, {'$id': '4', 'Address': '123.123.123.123', 'Type': 'ip'}], 'incident_id': 544, 'latest': '2023-07-27 19:28:30Z'}", | ||
"alert_name_s": "Failed login attempts to Azure Portal", | ||
"parsed_s": "{'earliest': '2023-07-20 19:28:29Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': '[email protected]', 'Type': 'account'}, {'$id': '4', 'Address': '123.123.123.123', 'Type': 'ip'}], 'incident_id': 544, 'latest': '2023-07-27 19:28:30Z', 'account': ['jan.bragg'], 'alert_name': 'Failed login attempts to Azure Portal'}", | ||
"context_s": "{'action': ['authentication', 'expected_aciton'], 'dest': ['cloud_service']}", | ||
"actions_s": "['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922']", | ||
"prediction_s": [ | ||
0.4976343959569931, | ||
0.1197867461203676 | ||
], | ||
"updated_by_s": [], | ||
"incident_s": 0, | ||
"source_s": "Salem", | ||
"Type": "SalemAlerts_CL" | ||
}, | ||
{ | ||
"TenantId": "00000000-0000-0000-0000-000000000004", | ||
"SourceSystem": "RestAPI", | ||
"TimeGenerated [UTC]": "7/27/2023, 7:53:22.111 PM", | ||
"Computer": "", | ||
"RawData": "", | ||
"report_time_t [UTC]": "7/27/2023, 7:53:21.738 PM", | ||
"id_g": "00000000-0000-0000-0000-000000000005", | ||
"date_s": "7/27/2023", | ||
"receive_time_s": 1690487481, | ||
"alert_source_s": "sentinel", | ||
"raw_s": "{'custom_details': {'country': ['LV'], 'user_agent': ['[\"Dalvik/2.1.0 (Linux; U; Android 13; Pixel 6 Build/TQ3A.230705.001) ;Pixel 6\"]'], 'src_host': ['[\"\"]'], 'src_ip': ['[\"123.123.123.123\"]'], 'result': ['[\"0 - \"]'], 'user': ['[email protected]']}, 'earliest': '2023-07-13 19:46:17Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': '[email protected]', 'Type': 'account'}], 'incident_id': 545, 'latest': '2023-07-27 19:46:18Z'}", | ||
"alert_name_s": "Authentication Attempt from New Country", | ||
"parsed_s": "{'custom_details__country': ['LV'], 'custom_details__user_agent': ['[\"Dalvik/2.1.0 (Linux; U; Android 13; Pixel 6 Build/TQ3A.230705.001) ;Pixel 6\"]'], 'custom_details__src_host': ['[\"\"]'], 'custom_details__src_ip': ['[\"123.123.123.123\"]'], 'custom_details__result': ['[\"0 - \"]'], 'custom_details__user': ['[email protected]'], 'earliest': '2023-07-13 19:46:17Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': '[email protected]', 'Type': 'account'}], 'incident_id': 545, 'latest': '2023-07-27 19:46:18Z', 'account': ['jan.bragg'], 'alert_name': 'Authentication Attempt from New Country'}", | ||
"context_s": "{'action': ['authentication'] 'account': ['on_travel', 'domain_account']}", | ||
"actions_s": "['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922', 'UserGen_action.failure_1680017671', 'UserGen_action.unapproved_action_1680017995', 'UserGen_action.failure_1680099173', 'UserGen_action.failure_1680532569', 'UserGen_action.failure_1688659161']", | ||
"prediction_s": [ | ||
0.4487365037202835, | ||
0.3422004755431098 | ||
], | ||
"updated_by_s": [], | ||
"incident_s": 0, | ||
"source_s": "Salem", | ||
"Type": "SalemAlerts_CL" | ||
}, | ||
{ | ||
"TenantId": "00000000-0000-0000-0000-000000000006", | ||
"SourceSystem": "RestAPI", | ||
"TimeGenerated [UTC]": "7/25/2023, 2:42:40.263 PM", | ||
"Computer": "", | ||
"RawData": "", | ||
"report_time_t [UTC]": "7/25/2023, 2:42:37.783 PM", | ||
"id_g": "00000000-0000-0000-0000-000000000007", | ||
"date_s": "7/25/2023", | ||
"receive_time_s": 1690296007, | ||
"alert_source_s": "sentinel", | ||
"raw_s": "{'custom_details': {'city': ['Mumbai'], 'src_os': ['Windows 10'], 'account': ['[email protected]'], 'process': ['Edge 18.19045'], 'logon_type': ['AADNonInteractiveUserSignInLogs'], 'region': ['IN'], 'src': ['[\"123.123.123.123\",\"123.123.123.124\"]'], 'app': ['Microsoft Office'], 'result': ['[\"failure\"]']}, 'earliest': '2023-07-24 14:35:02Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': '[email protected]', 'Type': 'account'}], 'incident_id': 541, 'latest': '2023-07-25 14:35:03Z'}", | ||
"alert_name_s": "Attempt to bypass conditional access rule in Azure AD", | ||
"parsed_s": "{'custom_details__city': ['Mumbai'], 'custom_details__src_os': ['Windows 10'], 'custom_details__account': ['[email protected]'], 'custom_details__process': ['Edge 18.19045'], 'custom_details__logon_type': ['AADNonInteractiveUserSignInLogs'], 'custom_details__region': ['IN'], 'custom_details__src': ['[\"123.123.123.123\",\"123.123.123.124\"]'], 'custom_details__app': ['Microsoft Office'], 'custom_details__result': ['[\"failure\"]'], 'earliest': '2023-07-24 14:35:02Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': '[email protected]', 'Type': 'account'}], 'incident_id': 541, 'latest': '2023-07-25 14:35:03Z', 'account': ['jan.bragg'], 'alert_name': 'Attempt to bypass conditional access rule in Azure AD'}", | ||
"context_s": "{'dest': ['cloud_service'], 'action': ['authentication', 'failure'], 'account':['mfa_enabled']}", | ||
"actions_s": "['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922', 'UserGen_action.failure_1680017671', 'UserGen_action.failure_1680099173', 'UserGen_action.failure_1680532569', 'UserGen_action.failure_1688659161']", | ||
"prediction_s": [ | ||
0.49763429164886475, | ||
0.0329890876554427 | ||
], | ||
"updated_by_s": [], | ||
"incident_s": 0, | ||
"source_s": "Salem", | ||
"Type": "SalemAlerts_CL" | ||
} | ||
] |