Open willemri opened 1 week ago
https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml
False Positives - Reducing benign events mistakenly identified as threats.
the field: "o365.audit.UserId" contains "Not Available" which triggers alot of FP in our environment
{ "_index": ".ds-logs-o365.audit-default-2024.09.13-000024", "_id": "aosTfZGWFGbCpp7eqLYCXXpTM10=", "_score": 1, "_source": { "agent": { "name": "ingest", "id": "122e2782-81d0-447d-bfef-34dc2c293c6e", "type": "filebeat", "ephemeral_id": "71ba93f0-e1ca-44b7-8f78-ff120cce8729", "version": "8.14.3" }, "elastic_agent": { "id": "122e2782-81d0-447d-bfef-34dc2c293c6e", "version": "8.14.3", "snapshot": false }, "source": { "geo": { "region_iso_code": "BE-VOV", "continent_name": "Europe", "city_name": "Ghent", "country_iso_code": "BE", "country_name": "Belgium", "region_name": "East Flanders Province", "location": { "lon": 3.7206, "lat": 51.047 } }, "as": { "number": 6848, "organization": { "name": "Telenet BV" } }, "ip": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" }, "tags": [ "preserve_original_event", "forwarded", "o365-cel" ], "network": { "type": "ipv6" }, "o365": { "audit": { "AzureActiveDirectoryEventType": "1", "UserKey": "3e399962-2dcb-4f8a-b859-65d7d5933496", "ActorIpAddress": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4", "ExtendedProperties": { "ResultStatusDetail": "Success", "RequestType": "SAS:EndAuth" }, "IntraSystemId": "b3d78cbd-9c69-4a1e-ad80-84302e3d6e00", "Target": [ { "Type": "0", "ID": "00000002-0000-0ff1-ce00-000000000000" } ], "RecordType": "15", "Version": "1", "SupportTicketId": "", "Actor": [ { "Type": "0", "ID": "3e399962-2dcb-4f8a-b859-65d7d5933496" } ], "DeviceProperties": [ { "Value": "Ios", "Name": "OS" }, { "Value": "Safari", "Name": "BrowserType" } ], "ActorContextId": "99999999-9999-9999-9999-9999999999", "ResultStatus": "Success", "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ErrorNumber": "0", "UserId": "Not Available", "TargetContextId": "99999999-9999-9999-9999-9999999999", "CreationTime": "2024-09-25T09:08:06", "InterSystemsId": "e270bb9a-86ac-971a-586d-9a35f66c0979", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "UserType": "4" } }, "input": { "type": "cel" }, "@timestamp": "2024-09-25T09:08:06.000Z", "ecs": { "version": "8.11.0" }, "related": { "ip": [ "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" ] }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "o365.audit" }, "organization": { "id": "99999999-9999-9999-9999-9999999999" }, "host": { "id": "99999999-9999-9999-9999-9999999999" }, "client": { "address": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4", "ip": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" }, "event": { "agent_id_status": "verified", "ingested": "2024-09-25T09:15:46Z", "original": "{AzureActiveDirectoryEventType=1, UserKey=3e399962-2dcb-4f8a-b859-65d7d5933496, ActorIpAddress=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Operation=UserLoggedIn, OrganizationId=99999999-9999-9999-9999-9999999999, ExtendedProperties=[{Value=Success, Name=ResultStatusDetail}, {Value=Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1, Name=UserAgent}, {Value=SAS:EndAuth, Name=RequestType}], IntraSystemId=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, Target=[{Type=0, ID=00000002-0000-0ff1-ce00-000000000000}], RecordType=15, Version=1, SupportTicketId=, Actor=[{Type=0, ID=3e399962-2dcb-4f8a-b859-65d7d5933496}], DeviceProperties=[{Value=Ios, Name=OS}, {Value=Safari, Name=BrowserType}], ActorContextId=99999999-9999-9999-9999-9999999999, ResultStatus=Success, ObjectId=00000002-0000-0ff1-ce00-000000000000, ErrorNumber=0, ClientIP=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Workload=AzureActiveDirectory, UserId=Not Available, TargetContextId=99999999-9999-9999-9999-9999999999, CreationTime=2024-09-25T09:08:06, InterSystemsId=e270bb9a-86ac-971a-586d-9a35f66c0979, Id=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, ApplicationId=00000002-0000-0ff1-ce00-000000000000, UserType=4}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", "action": "UserLoggedIn", "id": "b3d78cbd-9c69-4a1e-ad80-84302e3d6e00", "type": [ "info", "start", "access" ], "category": [ "web", "authentication" ], "dataset": "o365.audit", "outcome": "success" }, "user": { "id": "Not Available" }, "user_agent": { "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1", "os": { "name": "iOS", "version": "16.7.8", "full": "iOS 16.7.8" }, "name": "Mobile Safari", "device": { "name": "iPhone" }, "version": "16.6" } }, "fields": { "o365.audit.SupportTicketId": [ "" ], "elastic_agent.version": [ "8.14.3" ], "event.category": [ "web", "authentication" ], "o365.audit.UserId": [ "Not Available" ], "o365.audit.ApplicationId": [ "00000002-0000-0ff1-ce00-000000000000" ], "user_agent.original.text": [ "Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" ], "o365.audit.DeviceProperties.Name": [ "OS", "BrowserType" ], "user_agent.os.version": [ "16.7.8" ], "client.address": [ "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" ], "o365.audit.TargetContextId": [ "99999999-9999-9999-9999-9999999999" ], "agent.name.text": [ "ingest" ], "source.geo.region_name": [ "East Flanders Province" ], "source.ip": [ "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" ], "agent.name": [ "ingest" ], "user_agent.version": [ "16.6" ], "event.agent_id_status": [ "verified" ], "source.geo.region_iso_code": [ "BE-VOV" ], "event.kind": [ "event" ], "o365.audit.Actor.Type": [ "0" ], "event.outcome": [ "success" ], "source.geo.city_name": [ "Ghent" ], "user_agent.original": [ "Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" ], "event.original": [ "{AzureActiveDirectoryEventType=1, UserKey=3e399962-2dcb-4f8a-b859-65d7d5933496, ActorIpAddress=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Operation=UserLoggedIn, OrganizationId=99999999-9999-9999-9999-9999999999, ExtendedProperties=[{Value=Success, Name=ResultStatusDetail}, {Value=Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1, Name=UserAgent}, {Value=SAS:EndAuth, Name=RequestType}], IntraSystemId=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, Target=[{Type=0, ID=00000002-0000-0ff1-ce00-000000000000}], RecordType=15, Version=1, SupportTicketId=, Actor=[{Type=0, ID=3e399962-2dcb-4f8a-b859-65d7d5933496}], DeviceProperties=[{Value=Ios, Name=OS}, {Value=Safari, Name=BrowserType}], ActorContextId=99999999-9999-9999-9999-9999999999, ResultStatus=Success, ObjectId=00000002-0000-0ff1-ce00-000000000000, ErrorNumber=0, ClientIP=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Workload=AzureActiveDirectory, UserId=Not Available, TargetContextId=99999999-9999-9999-9999-9999999999, CreationTime=2024-09-25T09:08:06, InterSystemsId=e270bb9a-86ac-971a-586d-9a35f66c0979, Id=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, ApplicationId=00000002-0000-0ff1-ce00-000000000000, UserType=4}" ], "user.id": [ "Not Available" ], "o365.audit.ExtendedProperties.ResultStatusDetail": [ "Success" ], "input.type": [ "cel" ], "client.ip": [ "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" ], "user_agent.name": [ "Mobile Safari" ], "data_stream.type": [ "logs" ], "o365.audit.ObjectId": [ "00000002-0000-0ff1-ce00-000000000000" ], "tags": [ "preserve_original_event", "forwarded", "o365-cel" ], "event.provider": [ "AzureActiveDirectory" ], "event.code": [ "AzureActiveDirectoryStsLogon" ], "agent.id": [ "122e2782-81d0-447d-bfef-34dc2c293c6e" ], "o365.audit.AzureActiveDirectoryEventType": [ "1" ], "ecs.version": [ "8.11.0" ], "o365.audit.RecordType": [ "15" ], "organization.id": [ "99999999-9999-9999-9999-9999999999" ], "agent.version": [ "8.14.3" ], "o365.audit.ActorContextId": [ "99999999-9999-9999-9999-9999999999" ], "source.as.number": [ 6848 ], "o365.audit.ErrorNumber": [ "0" ], "o365.audit.CreationTime": [ "2024-09-25T09:08:06" ], "user_agent.os.full": [ "iOS 16.7.8" ], "source.geo.location": [ { "coordinates": [ 3.7206, 51.047 ], "type": "Point" } ], "o365.audit.UserKey": [ "3e399962-2dcb-4f8a-b859-65d7d5933496" ], "user_agent.os.name.text": [ "iOS" ], "o365.audit.Version": [ "1" ], "user_agent.os.name": [ "iOS" ], "agent.type": [ "filebeat" ], "event.module": [ "o365" ], "related.ip": [ "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" ], "source.geo.country_iso_code": [ "BE" ], "elastic_agent.snapshot": [ false ], "o365.audit.InterSystemsId": [ "e270bb9a-86ac-971a-586d-9a35f66c0979" ], "host.id": [ "99999999-9999-9999-9999-9999999999" ], "network.type": [ "ipv6" ], "source.as.organization.name.text": [ "Telenet BV" ], "o365.audit.Target.Type": [ "0" ], "elastic_agent.id": [ "122e2782-81d0-447d-bfef-34dc2c293c6e" ], "data_stream.namespace": [ "default" ], "o365.audit.IntraSystemId": [ "b3d78cbd-9c69-4a1e-ad80-84302e3d6e00" ], "o365.audit.ActorIpAddress": [ "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" ], "source.as.organization.name": [ "Telenet BV" ], "source.geo.continent_name": [ "Europe" ], "o365.audit.ExtendedProperties.RequestType": [ "SAS:EndAuth" ], "o365.audit.Target.ID": [ "00000002-0000-0ff1-ce00-000000000000" ], "o365.audit.UserType": [ "4" ], "user_agent.device.name.text": [ "iPhone" ], "user_agent.os.full.text": [ "iOS 16.7.8" ], "event.action": [ "UserLoggedIn" ], "event.ingested": [ "2024-09-25T09:15:46Z" ], "o365.audit.ResultStatus": [ "Success" ], "@timestamp": [ "2024-09-25T09:08:06.000Z" ], "user_agent.name.text": [ "Mobile Safari" ], "data_stream.dataset": [ "o365.audit" ], "event.type": [ "info", "start", "access" ], "agent.ephemeral_id": [ "71ba93f0-e1ca-44b7-8f78-ff120cce8729" ], "o365.audit.DeviceProperties.Value": [ "Ios", "Safari" ], "event.id": [ "b3d78cbd-9c69-4a1e-ad80-84302e3d6e00" ], "source.geo.country_name": [ "Belgium" ], "user_agent.device.name": [ "iPhone" ], "event.dataset": [ "o365.audit" ], "o365.audit.Actor.ID": [ "3e399962-2dcb-4f8a-b859-65d7d5933496" ] } }
Link to Rule
https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml
Rule Tuning Type
False Positives - Reducing benign events mistakenly identified as threats.
Description
the field: "o365.audit.UserId" contains "Not Available" which triggers alot of FP in our environment
Example Data
{ "_index": ".ds-logs-o365.audit-default-2024.09.13-000024", "_id": "aosTfZGWFGbCpp7eqLYCXXpTM10=", "_score": 1, "_source": { "agent": { "name": "ingest", "id": "122e2782-81d0-447d-bfef-34dc2c293c6e", "type": "filebeat", "ephemeral_id": "71ba93f0-e1ca-44b7-8f78-ff120cce8729", "version": "8.14.3" }, "elastic_agent": { "id": "122e2782-81d0-447d-bfef-34dc2c293c6e", "version": "8.14.3", "snapshot": false }, "source": { "geo": { "region_iso_code": "BE-VOV", "continent_name": "Europe", "city_name": "Ghent", "country_iso_code": "BE", "country_name": "Belgium", "region_name": "East Flanders Province", "location": { "lon": 3.7206, "lat": 51.047 } }, "as": { "number": 6848, "organization": { "name": "Telenet BV" } }, "ip": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" }, "tags": [ "preserve_original_event", "forwarded", "o365-cel" ], "network": { "type": "ipv6" }, "o365": { "audit": { "AzureActiveDirectoryEventType": "1", "UserKey": "3e399962-2dcb-4f8a-b859-65d7d5933496", "ActorIpAddress": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4", "ExtendedProperties": { "ResultStatusDetail": "Success", "RequestType": "SAS:EndAuth" }, "IntraSystemId": "b3d78cbd-9c69-4a1e-ad80-84302e3d6e00", "Target": [ { "Type": "0", "ID": "00000002-0000-0ff1-ce00-000000000000" } ], "RecordType": "15", "Version": "1", "SupportTicketId": "", "Actor": [ { "Type": "0", "ID": "3e399962-2dcb-4f8a-b859-65d7d5933496" } ], "DeviceProperties": [ { "Value": "Ios", "Name": "OS" }, { "Value": "Safari", "Name": "BrowserType" } ], "ActorContextId": "99999999-9999-9999-9999-9999999999", "ResultStatus": "Success", "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ErrorNumber": "0", "UserId": "Not Available", "TargetContextId": "99999999-9999-9999-9999-9999999999", "CreationTime": "2024-09-25T09:08:06", "InterSystemsId": "e270bb9a-86ac-971a-586d-9a35f66c0979", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "UserType": "4" } }, "input": { "type": "cel" }, "@timestamp": "2024-09-25T09:08:06.000Z", "ecs": { "version": "8.11.0" }, "related": { "ip": [ "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" ] }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "o365.audit" }, "organization": { "id": "99999999-9999-9999-9999-9999999999" }, "host": { "id": "99999999-9999-9999-9999-9999999999" }, "client": { "address": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4", "ip": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" }, "event": { "agent_id_status": "verified", "ingested": "2024-09-25T09:15:46Z", "original": "{AzureActiveDirectoryEventType=1, UserKey=3e399962-2dcb-4f8a-b859-65d7d5933496, ActorIpAddress=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Operation=UserLoggedIn, OrganizationId=99999999-9999-9999-9999-9999999999, ExtendedProperties=[{Value=Success, Name=ResultStatusDetail}, {Value=Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1, Name=UserAgent}, {Value=SAS:EndAuth, Name=RequestType}], IntraSystemId=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, Target=[{Type=0, ID=00000002-0000-0ff1-ce00-000000000000}], RecordType=15, Version=1, SupportTicketId=, Actor=[{Type=0, ID=3e399962-2dcb-4f8a-b859-65d7d5933496}], DeviceProperties=[{Value=Ios, Name=OS}, {Value=Safari, Name=BrowserType}], ActorContextId=99999999-9999-9999-9999-9999999999, ResultStatus=Success, ObjectId=00000002-0000-0ff1-ce00-000000000000, ErrorNumber=0, ClientIP=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Workload=AzureActiveDirectory, UserId=Not Available, TargetContextId=99999999-9999-9999-9999-9999999999, CreationTime=2024-09-25T09:08:06, InterSystemsId=e270bb9a-86ac-971a-586d-9a35f66c0979, Id=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, ApplicationId=00000002-0000-0ff1-ce00-000000000000, UserType=4}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", "kind": "event", "action": "UserLoggedIn", "id": "b3d78cbd-9c69-4a1e-ad80-84302e3d6e00", "type": [ "info", "start", "access" ], "category": [ "web", "authentication" ], "dataset": "o365.audit", "outcome": "success" }, "user": { "id": "Not Available" }, "user_agent": { "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1", "os": { "name": "iOS", "version": "16.7.8", "full": "iOS 16.7.8" }, "name": "Mobile Safari", "device": { "name": "iPhone" }, "version": "16.6" } }, "fields": { "o365.audit.SupportTicketId": [ "" ], "elastic_agent.version": [ "8.14.3" ], "event.category": [ "web", "authentication" ], "o365.audit.UserId": [ "Not Available" ], "o365.audit.ApplicationId": [ "00000002-0000-0ff1-ce00-000000000000" ], "user_agent.original.text": [ "Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" ], "o365.audit.DeviceProperties.Name": [ "OS", "BrowserType" ], "user_agent.os.version": [ "16.7.8" ], "client.address": [ "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" ], "o365.audit.TargetContextId": [ "99999999-9999-9999-9999-9999999999" ], "agent.name.text": [ "ingest" ], "source.geo.region_name": [ "East Flanders Province" ], "source.ip": [ "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" ], "agent.name": [ "ingest" ], "user_agent.version": [ "16.6" ], "event.agent_id_status": [ "verified" ], "source.geo.region_iso_code": [ "BE-VOV" ], "event.kind": [ "event" ], "o365.audit.Actor.Type": [ "0" ], "event.outcome": [ "success" ], "source.geo.city_name": [ "Ghent" ], "user_agent.original": [ "Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1" ], "event.original": [ "{AzureActiveDirectoryEventType=1, UserKey=3e399962-2dcb-4f8a-b859-65d7d5933496, ActorIpAddress=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Operation=UserLoggedIn, OrganizationId=99999999-9999-9999-9999-9999999999, ExtendedProperties=[{Value=Success, Name=ResultStatusDetail}, {Value=Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1, Name=UserAgent}, {Value=SAS:EndAuth, Name=RequestType}], IntraSystemId=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, Target=[{Type=0, ID=00000002-0000-0ff1-ce00-000000000000}], RecordType=15, Version=1, SupportTicketId=, Actor=[{Type=0, ID=3e399962-2dcb-4f8a-b859-65d7d5933496}], DeviceProperties=[{Value=Ios, Name=OS}, {Value=Safari, Name=BrowserType}], ActorContextId=99999999-9999-9999-9999-9999999999, ResultStatus=Success, ObjectId=00000002-0000-0ff1-ce00-000000000000, ErrorNumber=0, ClientIP=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Workload=AzureActiveDirectory, UserId=Not Available, TargetContextId=99999999-9999-9999-9999-9999999999, CreationTime=2024-09-25T09:08:06, InterSystemsId=e270bb9a-86ac-971a-586d-9a35f66c0979, Id=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, ApplicationId=00000002-0000-0ff1-ce00-000000000000, UserType=4}" ], "user.id": [ "Not Available" ], "o365.audit.ExtendedProperties.ResultStatusDetail": [ "Success" ], "input.type": [ "cel" ], "client.ip": [ "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" ], "user_agent.name": [ "Mobile Safari" ], "data_stream.type": [ "logs" ], "o365.audit.ObjectId": [ "00000002-0000-0ff1-ce00-000000000000" ], "tags": [ "preserve_original_event", "forwarded", "o365-cel" ], "event.provider": [ "AzureActiveDirectory" ], "event.code": [ "AzureActiveDirectoryStsLogon" ], "agent.id": [ "122e2782-81d0-447d-bfef-34dc2c293c6e" ], "o365.audit.AzureActiveDirectoryEventType": [ "1" ], "ecs.version": [ "8.11.0" ], "o365.audit.RecordType": [ "15" ], "organization.id": [ "99999999-9999-9999-9999-9999999999" ], "agent.version": [ "8.14.3" ], "o365.audit.ActorContextId": [ "99999999-9999-9999-9999-9999999999" ], "source.as.number": [ 6848 ], "o365.audit.ErrorNumber": [ "0" ], "o365.audit.CreationTime": [ "2024-09-25T09:08:06" ], "user_agent.os.full": [ "iOS 16.7.8" ], "source.geo.location": [ { "coordinates": [ 3.7206, 51.047 ], "type": "Point" } ], "o365.audit.UserKey": [ "3e399962-2dcb-4f8a-b859-65d7d5933496" ], "user_agent.os.name.text": [ "iOS" ], "o365.audit.Version": [ "1" ], "user_agent.os.name": [ "iOS" ], "agent.type": [ "filebeat" ], "event.module": [ "o365" ], "related.ip": [ "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" ], "source.geo.country_iso_code": [ "BE" ], "elastic_agent.snapshot": [ false ], "o365.audit.InterSystemsId": [ "e270bb9a-86ac-971a-586d-9a35f66c0979" ], "host.id": [ "99999999-9999-9999-9999-9999999999" ], "network.type": [ "ipv6" ], "source.as.organization.name.text": [ "Telenet BV" ], "o365.audit.Target.Type": [ "0" ], "elastic_agent.id": [ "122e2782-81d0-447d-bfef-34dc2c293c6e" ], "data_stream.namespace": [ "default" ], "o365.audit.IntraSystemId": [ "b3d78cbd-9c69-4a1e-ad80-84302e3d6e00" ], "o365.audit.ActorIpAddress": [ "2a01:1812:1435:3a00:7878:bc52:41f2:56f4" ], "source.as.organization.name": [ "Telenet BV" ], "source.geo.continent_name": [ "Europe" ], "o365.audit.ExtendedProperties.RequestType": [ "SAS:EndAuth" ], "o365.audit.Target.ID": [ "00000002-0000-0ff1-ce00-000000000000" ], "o365.audit.UserType": [ "4" ], "user_agent.device.name.text": [ "iPhone" ], "user_agent.os.full.text": [ "iOS 16.7.8" ], "event.action": [ "UserLoggedIn" ], "event.ingested": [ "2024-09-25T09:15:46Z" ], "o365.audit.ResultStatus": [ "Success" ], "@timestamp": [ "2024-09-25T09:08:06.000Z" ], "user_agent.name.text": [ "Mobile Safari" ], "data_stream.dataset": [ "o365.audit" ], "event.type": [ "info", "start", "access" ], "agent.ephemeral_id": [ "71ba93f0-e1ca-44b7-8f78-ff120cce8729" ], "o365.audit.DeviceProperties.Value": [ "Ios", "Safari" ], "event.id": [ "b3d78cbd-9c69-4a1e-ad80-84302e3d6e00" ], "source.geo.country_name": [ "Belgium" ], "user_agent.device.name": [ "iPhone" ], "event.dataset": [ "o365.audit" ], "o365.audit.Actor.ID": [ "3e399962-2dcb-4f8a-b859-65d7d5933496" ] } }