# Regex definition and storage

## Entity - Regexes
- Account - SID, EMAIL, NTACCT
- Host - DNS
- IP address - IPV4, IPV6
- URL - URL
- Azure resource - RESOURCEID
- Registry key - REGKEY
- Domain name (DNS) - DNS
- File - LXPATH, WINPATH
- File hash - MD5, SHA1, SHA256
- Process - WINPROCESS_REGEX

In [22]:
import json
import re

def write_regexes(data, path="./", fileName="regexes"):
    filePathNameWExt = "./" + path + "/" + fileName + ".json"
    with open(filePathNameWExt, "w") as fp:
        json.dump(data, fp)


data = {
    "DNS_REGEX": {
        "regex": r"^((?=[a-z0-9-]{1,63}\.)[a-z0-9]+(-[a-z0-9]+)*\.){1,126}[a-z]{2,63}$",
        "priority": "1",
        "entity": "host",
    },
    "IPV4_REGEX": {
        "regex": r"^(?P<ipaddress>(?:[0-9]{1,3}\.){3}[0-9]{1,3})$",
        "priority": "0",
        "entity": "ipaddress",
    },
    "IPV6_REGEX": {
        "regex": r"^(?<![:.\w])(?:[A-F0-9]{0,4}:){2,7}[A-F0-9]{0,4}(?![:.\w])$",
        "priority": "0",
        "entity": "ipaddress",
    },
    "URL_REGEX": {
        "regex": r"""
            ^
            (?P<protocol>(https?|ftp|telnet|ldap|file)://)
            (?P<userinfo>([a-z0-9-._~!$&\'()*+,;=:]|%[0-9A-F]{2})*@)?
            (?P<host>([a-z0-9-._~!$&\'()*+,;=]|%[0-9A-F]{2})*)
            (:(?P<port>\d*))?
            (/(?P<path>([^?\#"<>\s]|%[0-9A-F]{2})*/?))?
            (\?(?P<query>([a-z0-9-._~!$&'()*+,;=:/?@]|%[0-9A-F]{2})*))?
            (\#(?P<fragment>([a-z0-9-._~!$&'()*+,;=:/?@]|%[0-9A-F]{2})*))?
            $
            """,
        "priority": "0",
        "entity": "url",
    },
    "MD5_REGEX": {
        "regex": r"^(?:^|[^A-Fa-f0-9])(?P<hash>[A-Fa-f0-9]{32})(?:$|[^A-Fa-f0-9])$",
        "priority": "1",
        "entity": "hash",
    },
    "SHA1_REGEX": {
        "regex": r"^(?:^|[^A-Fa-f0-9])(?P<hash>[A-Fa-f0-9]{40})(?:$|[^A-Fa-f0-9])$",
        "priority": "1",
        "entity": "hash",
    },
    "SHA256_REGEX": {
        "regex": r"^(?:^|[^A-Fa-f0-9])(?P<hash>[A-Fa-f0-9]{64})(?:$|[^A-Fa-f0-9])$",
        "priority": "1",
        "entity": "hash",
    },
    "LXPATH_REGEX": {
        "regex": r"""
            ^(?P<root>/+||[.]+)
            (?P<folder>/(?:[^\\/:*?<>|\r\n]+/)*)
            (?P<file>[^/\0<>|\r\n ]+)$
            """,
        "priority": "2",
        "entity": "file",
    },
    "WINPATH_REGEX": {
        "regex": r"""
            ^(?P<root>[a-z]:|\\\\[a-z0-9_.$-]+||[.]+)
            (?P<folder>\\(?:[^\\/:*?"'<>|\r\n]+\\)*)
            (?P<file>[^\\/*?""<>|\r\n ]+)$
            """,
        "priority": "1",
        "entity": "file",
    },
    "WINPROCESS_REGEX": {
        "regex": r"""
            ^(?P<root>[a-z]:|\\\\[a-z0-9_.$-]+||[.]+)?
            (?P<folder>\\(?:[^\\/:*?"'<>|\r\n]+\\)*)?
            (?P<file>[^\\/*?""<>|\r\n ]+\.exe)$
        """,
        "priority": "0",
        "entity": "process",
    },
    'EMAIL_REGEX': {
        'regex': r"^[\w\d._%+-]+@(?:[\w\d-]+\.)+[\w]{2,}$", 
        'priority': '0', 
        'entity': 'account'
    },
    'RESOURCEID_REGEX': {
        'regex': r"(\/[a-z]+\/)[a-z0-9]{8}(-[a-z0-9]{4}){3}-[a-z0-9]{12}(\/[a-z]+\/).*", 
        'priority': '0', 
        'entity': 'azureresource'
    },
    'NTACCT_REGEX': {
        'regex': r"^([^\/:*?\"<>|]){2,15}\\[^\/:*?\"<>|]{2,15}$", 
        'priority': '0', 
        'entity': 'account'
    },
    'SID_REGEX': {
        'regex': r"^S-[\d]+(-[\d]+)+$", 
        'priority': '1', 
        'entity': 'account'
    },
    'REGKEY_REGEX': {
        'regex': r"""("|'|\s)?(?P<hive>HKLM|HKCU|HKCR|HKU|HKEY_(LOCAL_MACHINE|USERS|CURRENT_USER|CURRENT_CONFIG|CLASSES_ROOT))(?P<key>(\\[^"'\\/]+){1,}\\?)("|'|\s)?""", 
        'priority': '1', 
        'entity': 'registrykey'
    },
    'GUID_REGEX': {
        'regex': r"^[a-z0-9]{8}(-[a-z0-9]{4}){3}-[a-z0-9]{12}$", 
        'priority': '1', 
        'data_format': 'uuid'
    }
}

write_regexes(data)

In [23]:
def append_regex(name, regex, priority, entity):
    with open ('regexes.json') as json_file:
        data = json.load(json_file)
        y = {name: {'regex': regex, 'priority': priority, 'entity': entity}}
        data.update(y)
    with open ('regexes.json', 'w') as f:
        json.dump(data, f)

In [24]:
def get_regexes():
    with open('regexes.json') as f:
        return json.load(f)

In [25]:
entity_regexes = get_regexes()
print(entity_regexes)

{'DNS_REGEX': {'regex': '^((?=[a-z0-9-]{1,63}\\.)[a-z0-9]+(-[a-z0-9]+)*\\.){1,126}[a-z]{2,63}$', 'priority': '1', 'entity': 'host'}, 'IPV4_REGEX': {'regex': '^(?P<ipaddress>(?:[0-9]{1,3}\\.){3}[0-9]{1,3})$', 'priority': '0', 'entity': 'ipaddress'}, 'IPV6_REGEX': {'regex': '^(?<![:.\\w])(?:[A-F0-9]{0,4}:){2,7}[A-F0-9]{0,4}(?![:.\\w])$', 'priority': '0', 'entity': 'ipaddress'}, 'URL_REGEX': {'regex': '\n            ^\n            (?P<protocol>(https?|ftp|telnet|ldap|file)://)\n            (?P<userinfo>([a-z0-9-._~!$&\\\'()*+,;=:]|%[0-9A-F]{2})*@)?\n            (?P<host>([a-z0-9-._~!$&\\\'()*+,;=]|%[0-9A-F]{2})*)\n            (:(?P<port>\\d*))?\n            (/(?P<path>([^?\\#"<>\\s]|%[0-9A-F]{2})*/?))?\n            (\\?(?P<query>([a-z0-9-._~!$&\'()*+,;=:/?@]|%[0-9A-F]{2})*))?\n            (\\#(?P<fragment>([a-z0-9-._~!$&\'()*+,;=:/?@]|%[0-9A-F]{2})*))?\n            $\n            ', 'priority': '0', 'entity': 'url'}, 'MD5_REGEX': {'regex': '^(?:^|[^A-Fa-f0-9])(?P<hash>[A-Fa-f0-9]{32})(?:$

# Regex application to tables

In [26]:
# Core MSTICPy initialization for Notebooks
from msticpy.nbtools import nbinit
nbinit.init_notebook(namespace=globals());

# Load query providers (typically you'll be using just one)
qry_prov = QueryProvider("AzureSentinel")

In [27]:
qry_prov.connect(WorkspaceConfig())

In [32]:
print(qry_prov.schema.keys())

dict_keys(['AACAudit', 'AACHttpRequest', 'AADDomainServicesAccountLogon', 'AADDomainServicesAccountManagement', 'AADDomainServicesDirectoryServiceAccess', 'AADDomainServicesLogonLogoff', 'AADDomainServicesPolicyChange', 'AADDomainServicesPrivilegeUse', 'AADDomainServicesSystemSecurity', 'AADManagedIdentitySignInLogs', 'AADNonInteractiveUserSignInLogs', 'AADProvisioningLogs', 'AADRiskyUsers', 'AADServicePrincipalSignInLogs', 'AADUserRiskEvents', 'ABAPAppLog_CL', 'ABAPAuditLog_CL', 'ABAPCRLog_CL', 'ABAPChangeDocsLog_CL', 'ABAPJobLog_CL', 'ABAPSpoolLog_CL', 'ABSBotRequests', 'ABSChannelToBotRequests', 'ABSDependenciesRequests', 'ACICollaborationAudit', 'ACSAuthIncomingOperations', 'ACSBillingUsage', 'ACSChatIncomingOperations', 'ACSSMSIncomingOperations', 'ADFActivityRun', 'ADFPipelineRun', 'ADFSSISIntegrationRuntimeLogs', 'ADFSSISPackageEventMessageContext', 'ADFSSISPackageEventMessages', 'ADFSSISPackageExecutableStatistics', 'ADFSSISPackageExecutionComponentPhases', 'ADFSSISPackageExecu

In [8]:
# Returns a pandas dataframe
signin_df = qry_prov.exec_query("SigninLogs | sample 100")
signin_df.head()

Unnamed: 0,TenantId,SourceSystem,TimeGenerated,ResourceId,OperationName,OperationVersion,Category,ResultType,ResultSignature,ResultDescription,DurationMs,CorrelationId,Resource,ResourceGroup,ResourceProvider,Identity,Level,Location,AlternateSignInName,AppDisplayName,AppId,AuthenticationDetails,AuthenticationMethodsUsed,AuthenticationProcessingDetails,AuthenticationRequirement,...,RiskEventTypes,RiskEventTypes_V2,RiskLevelAggregated,RiskLevelDuringSignIn,RiskState,ResourceDisplayName,ResourceIdentity,ServicePrincipalId,ServicePrincipalName,Status,TokenIssuerName,TokenIssuerType,UserAgent,UserDisplayName,UserId,UserPrincipalName,AADTenantId,UserType,FlaggedForReview,IPAddressFromResourceProvider,SignInIdentifier,SignInIdentifierType,ResourceTenantId,HomeTenantId,Type
0,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-08-04 11:24:23.661000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,a37e4d50-e59b-467f-af82-a61a7b8517ef,Microsoft.aadiam,Microsoft.aadiam,,Corina Feuerstein,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-08-04T11:24:23.6616706+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""Domain Hint Present"",\r\n ""value"": ""True""\r\n },\r\n {\r\n ""key""...",multiFactorAuthentication,...,[],[],none,none,none,Office365 Shell WCSS-Server,5f09333a-842c-47da-a157-57da27fcbca5,,,"{'errorCode': 0, 'additionalDetails': 'MFA requirement satisfied by claim in the token'}",,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.451...",Corina Feuerstein,39d7ecf5-da7f-4746-8cdf-ff228b33f547,corinaf@seccxpninja.onmicrosoft.com,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
1,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-06-08 11:43:15.434000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,50059,,User does not exist in directory. Contact your tenant admin.,0,6170b70c-41b9-410b-992f-4a2e742d27d3,Microsoft.aadiam,Microsoft.aadiam,,Purview DataCurator,4,IL,,,a63c72d0-f746-41a0-8f10-e44e0425a524,[],,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,,,,,"{'errorCode': 50059, 'failureReason': 'User does not exist in directory. Contact your tenant adm...",,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.447...",Purview DataCurator,ad75bd68-b15a-465b-8192-0bf2ce84095a,purviewdc@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
2,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-07-07 15:57:58.334000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,1d54c199-dee9-47f4-88fb-9af319b71139,Microsoft.aadiam,Microsoft.aadiam,,Purview Administrator,4,US,,Microsoft Azure Purview Studio,632d803a-b0c2-49b4-a944-e13c384c04a8,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-07-07T15:57:58.3348649+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,{'errorCode': 0},,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.447...",Purview Administrator,92136ac8-4f6e-4259-8c59-c1d33774737d,purviewadmin@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
3,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-08-04 11:06:41.090000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,77816176-f0e2-4c0e-a303-88ebb479d671,Microsoft.aadiam,Microsoft.aadiam,,On-Premises Directory Synchronization Service Account,4,US,Sync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com,Microsoft Azure Active Directory Connect,cb1056e2-e479-49de-ae31-7812af012ed8,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-08-04T11:06:41.0908261+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Active Directory,00000002-0000-0000-c000-000000000000,,,{'errorCode': 0},,AzureAD,,On-Premises Directory Synchronization Service Account,ee856d98-cecd-4dbe-8833-bdeec67847d0,sync_dc01_3862ce34675f@seccxpninja.onmicrosoft.com,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,Sync_DC01_3862ce34675f@seccxpninja.onmicrosoft.com,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
4,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-05-07 01:40:23.496000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,968ba42c-5557-46d2-aca2-57d9c0dee285,Microsoft.aadiam,Microsoft.aadiam,,On-Premises Directory Synchronization Service Account,4,US,Sync_SOC-DC-Play_8427dcda0b9a@seccxpninja.onmicrosoft.com,Microsoft Azure Active Directory Connect,cb1056e2-e479-49de-ae31-7812af012ed8,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-05-07T01:40:23.4968832+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Active Directory,00000002-0000-0000-c000-000000000000,,,{'errorCode': 0},,AzureAD,,On-Premises Directory Synchronization Service Account,f2b4edd4-a818-4812-9acb-ca8a171c61ae,sync_soc-dc-play_8427dcda0b9a@seccxpninja.onmicrosoft.com,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,Sync_SOC-DC-Play_8427dcda0b9a@seccxpninja.onmicrosoft.com,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs


In [9]:
secevent_df = qry_prov.exec_query("SecurityEvent | sample 100")
secevent_df.head()

Unnamed: 0,TenantId,TimeGenerated,SourceSystem,Account,AccountType,Computer,EventSourceName,Channel,Task,Level,EventData,EventID,Activity,SourceComputerId,EventOriginId,MG,TimeCollected,ManagementGroupName,AccessList,AccessMask,AccessReason,AccountDomain,AccountExpires,AccountName,AccountSessionIdentifier,...,TargetUserName,TargetUserSid,TemplateContent,TemplateDSObjectFQDN,TemplateInternalName,TemplateOID,TemplateSchemaVersion,TemplateVersion,TokenElevationType,TransmittedServices,UserAccountControl,UserParameters,UserPrincipalName,UserWorkstations,VirtualAccount,VendorIds,Workstation,WorkstationName,PartitionKey,RowKey,StorageAccount,AzureDeploymentID,AzureTableName,Type,_ResourceId
0,8ecf8077-cf51-4820-aadd-14040956f35d,2021-07-14 19:39:40.943000+00:00,OpsManager,SECCXP\DC01$,Machine,DC01.seccxp.ninja,Microsoft-Windows-Security-Auditing,Security,13313,8,"<EventData xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">\r\n <Data Name=""Subje...",4689,4689 - A process has exited.,d3cc79f7-05ad-4d42-b699-8c444bde4fc1,6ce720a5-4874-4bfd-bd37-4446f695505f,00000000-0000-0000-0000-000000000001,2021-07-14 19:39:55.243000+00:00,AOI-8ecf8077-cf51-4820-aadd-14040956f35d,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,,,,SecurityEvent,/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de0176f/resourcegroups/simuland/providers/microsoft....
1,8ecf8077-cf51-4820-aadd-14040956f35d,2021-08-04 21:26:55.010000+00:00,OpsManager,WORKGROUP\ATKWORKSTATION$,Machine,AtkWorkstation,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,82eb7d37-d8a7-4949-b914-20cc2d0d6d9d,d6ad809e-86ee-4ad6-b90c-711d81a483b6,00000000-0000-0000-0000-000000000001,2021-08-04 21:27:26.837000+00:00,AOI-8ecf8077-cf51-4820-aadd-14040956f35d,,,,,,,,...,-,S-1-0-0,,,,,,,%%1936,,,,,,,,,,,,,,,SecurityEvent,/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de0176f/resourcegroups/simuland/providers/microsoft....
2,8ecf8077-cf51-4820-aadd-14040956f35d,2021-05-14 06:20:15.647000+00:00,OpsManager,\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a280763d-2a4b-4fcd-896b-1ed5f499bdf4,00000000-0000-0000-0000-000000000001,2021-05-14 06:20:16.718000+00:00,AOI-8ecf8077-cf51-4820-aadd-14040956f35d,,,,,,,,...,administrator,S-1-0-0,,,,,,,,-,,,,,,,,-,,,,,,SecurityEvent,/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de0176f/resourcegroups/soc-fortinet/providers/micros...
3,8ecf8077-cf51-4820-aadd-14040956f35d,2021-05-15 07:56:44.913000+00:00,OpsManager,\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cc2b330-b078-4896-b4a1-19315218559f,00000000-0000-0000-0000-000000000001,2021-05-15 07:56:49.837000+00:00,AOI-8ecf8077-cf51-4820-aadd-14040956f35d,,,,,,,,...,administrator,S-1-0-0,,,,,,,,-,,,,,,,,-,,,,,,SecurityEvent,/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de0176f/resourcegroups/soc-fortinet/providers/micros...
4,8ecf8077-cf51-4820-aadd-14040956f35d,2021-06-10 10:29:44.930000+00:00,OpsManager,SHIR-Hive\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c015989-ca79-496e-9285-a845b8efac8e,00000000-0000-0000-0000-000000000001,2021-06-10 10:29:47.050000+00:00,AOI-8ecf8077-cf51-4820-aadd-14040956f35d,,,,,,,,...,administrator,S-1-0-0,,,,,,,,-,,,,,,,,-,,,,,,SecurityEvent,/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de0176f/resourcegroups/soc-purview/providers/microso...


In [10]:
offact_df = qry_prov.exec_query("OfficeActivity | sample 100")
offact_df.head()

Unnamed: 0,TenantId,Application,UserDomain,UserAgent,RecordType,TimeGenerated,Operation,OrganizationId,OrganizationId_,UserType,UserKey,OfficeWorkload,ResultStatus,ResultReasonType,OfficeObjectId,UserId,UserId_,ClientIP,ClientIP_,Scope,Site_,ItemType,EventSource,Source_Name,MachineDomainInfo,...,ChannelType,ChannelName,ChannelGuid,ExtraProperties,AddOnType,AddonName,TabType,Name,OldValue,NewValue,ItemName,ChatThreadId,ChatName,CommunicationType,AADGroupId,AddOnGuid,AppDistributionMode,TargetUserId,OperationScope,AzureADAppId,OperationProperties,AppId,ClientAppId,Type,_ResourceId
0,8ecf8077-cf51-4820-aadd-14040956f35d,,,,ExchangeAdmin,2021-05-23 20:57:14+00:00,Set-Mailbox,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,DcAdmin,NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost),Exchange,True,True,NAMPR06A007.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/seccxpninja.onmicrosoft.com...,NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost),NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost),,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity,
1,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-08-04 11:39:14+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,100320003F8A6FC7,Exchange,Succeeded,Succeeded,,MeganB@seccxp.ninja,MeganB@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Name': 'MailAccessType', 'Value': 'Bind'}, {'Name': 'IsThrottled', 'Value': 'False'}]",414a677a-e50f-46ea-b89c-aebb8a9efbe2,,OfficeActivity,
2,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-05-28 05:54:44+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,100320003F8A6FC7,Exchange,Succeeded,Succeeded,,MeganB@seccxp.ninja,MeganB@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",414a677a-e50f-46ea-b89c-aebb8a9efbe2,,OfficeActivity,
3,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-25 17:16:39+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,100320003F8A6FC7,Exchange,Succeeded,Succeeded,,MeganB@seccxp.ninja,MeganB@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",414a677a-e50f-46ea-b89c-aebb8a9efbe2,,OfficeActivity,
4,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-07-27 12:56:41+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032000F4C0E68F,Exchange,Succeeded,Succeeded,,kemckinn@seccxpninja.onmicrosoft.com,kemckinn@seccxpninja.onmicrosoft.com,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",7a5fbd1c-3e6d-461a-9075-83049393b3a7,7a5fbd1c-3e6d-461a-9075-83049393b3a7,OfficeActivity,


In [11]:
comsec_df = qry_prov.exec_query("CommonSecurityLog | sample 1000")
comsec_df.head()

Unnamed: 0,TenantId,SourceSystem,TimeGenerated,ReceiptTime,DeviceVendor,DeviceProduct,DeviceEventClassID,LogSeverity,OriginalLogSeverity,DeviceAction,SimplifiedDeviceAction,Computer,CommunicationDirection,DeviceFacility,DestinationPort,DestinationIP,DeviceAddress,DeviceName,Message,Protocol,SourcePort,SourceIP,RemoteIP,RemotePort,MaliciousIP,...,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,AdditionalExtensions,StartTime,EndTime,Type,_ResourceId
0,8ecf8077-cf51-4820-aadd-14040956f35d,OpsManager,2021-07-14 06:49:31.407000+00:00,,Fortinet,Fortigate,28704,2,,,,,1.0,,443.0,20.38.122.4,,,"Collaboration: Microsoft.Portal,",6.0,50356.0,10.0.1.8,,,,...,,,,,,,,,,,,,,,,,,,,,FortinetFortiGateeventtime=1626245410126402816;FortinetFortiGatetz=-0700;FortinetFortiGatelogid=...,NaT,NaT,CommonSecurityLog,/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de0176f/resourcegroups/soc-fortinet/providers/micros...
1,8ecf8077-cf51-4820-aadd-14040956f35d,OpsManager,2021-06-14 07:43:13.479000+00:00,,Fortinet,Fortigate,00013,3,,,,,,,443.0,20.38.122.4,,,,6.0,56936.0,10.0.1.5,,,,...,,,,,,,,,,,,,,,,,,,,,FortinetFortiGateeventtime=1623656597645434767;FortinetFortiGatetz=-0700;FortinetFortiGatelogid=...,NaT,NaT,CommonSecurityLog,/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de0176f/resourcegroups/soc-fortinet/providers/micros...
2,8ecf8077-cf51-4820-aadd-14040956f35d,OpsManager,2021-05-18 01:29:14.633000+00:00,$cefformatted-receive_time,Palo Alto Networks,PAN-OS,end,1,,,,,,,,10.6.1.5,,,,,,20.98.114.31,,,,...,,,,,,,,,,,,,,,,,,,,,,NaT,NaT,CommonSecurityLog,/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de0176f/resourcegroups/soc-fortinet/providers/micros...
3,8ecf8077-cf51-4820-aadd-14040956f35d,OpsManager,2021-08-04 21:38:16.272000+00:00,,Zscaler,NSSWeblog,Allowed,3,,Allowed,Allowed,,1.0,,,142.250.184.226,,,,,,72.52.82.194,,,,...,,malwarecat,,threatname,,md5hash,,,,,,,,,,,,,,,reason=Allowed;pagead2.googlesyndication.com/pagead/sodar?id=;sodar2&v=;224&li=;gpt_2021072901&j...,NaT,NaT,CommonSecurityLog,/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de0176f/resourcegroups/soc-fortinet/providers/micros...
4,8ecf8077-cf51-4820-aadd-14040956f35d,OpsManager,2021-08-04 21:38:16.289000+00:00,,Fortinet,Fortigate,28704,2,,,,,1.0,,443.0,20.44.8.3,,,"Cloud.IT: Microsoft.Azure,",6.0,32904.0,10.0.1.7,,,,...,,,,,,,,,,,,,,,,,,,,,FortinetFortiGateeventtime=1628113121859765336;FortinetFortiGatetz=-0700;FortinetFortiGatelogid=...,NaT,NaT,CommonSecurityLog,/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de0176f/resourcegroups/soc-fortinet/providers/micros...


In [12]:
from collections import defaultdict

def match_regexes(data, debug=False):
    """Function to apply every regex to every column in the given table.

    Args:
        data (DataFrame): A table/log queried from the connected Azure Sentinel workspace.
        debug (bool, optional): If True, prints the columns for which no match was found. Defaults to False.

    Returns:
        Dictionary: {Column: {Regex: (Match ratio excluding blanks, Total match ratio)}}
    """
    # Dictionary to store results
    full_matches = {}
    # Iterate over each column   
    for col in data.columns:
        if len(data[col]) < 1:
            continue
        # Skip non-string columns
        if not isinstance(data[col][0], str):
            if debug:
                print(f" -- col {col} is type {data[col].dtype}. Skipping")
            continue
        # Iterate over every regex
        for name, regex in entity_regexes.items():
            # Try the regex on the column
            match_series = data[col].str.match(regex['regex'], case=False, flags=re.VERBOSE)
            # If there are more than zero rows in the table
            if len(match_series) > 0:
                # Calculate the match ratios, including blanks (total_match_ratio) 
                # and not including blanks (match_ratio)
                total_match_ratio = match_series.sum() / len(match_series)
                blanks_df = data[col].str.strip() == ""
                num_non_blanks = len(match_series) - blanks_df.sum()
                match_ratio = match_series.sum() / num_non_blanks if num_non_blanks > 0 else total_match_ratio
                # If at least one entry in the column matched the regex 
                if total_match_ratio > 0:
                    # Add the column, regex, and match ratios to the dict
                    # If this column has already matched with a regex
                    if col in full_matches:
                        full_matches[col][name] = match_ratio, total_match_ratio
                    else:
                        full_matches[col] = {}
                        full_matches[col][name] = match_ratio, total_match_ratio
        if col not in full_matches and debug:
            print(f" -- col {col} no match found")
    return full_matches

In [13]:
table_regexes = {}
table_regexes["SigninLogs"] = match_regexes(signin_df)
table_regexes["SecurityEvent"] = match_regexes(secevent_df)
table_regexes["OfficeActivity"] = match_regexes(offact_df)
table_regexes["CommonSecurityLog"] = match_regexes(comsec_df)

import pprint
for table, cols in table_regexes.items():
    print(table)  
    print("-" * len(table))
    pprint.pprint(cols)

SigninLogs
----------
{'AADTenantId': {'GUID_REGEX': (1.0, 1.0)},
 'AlternateSignInName': {'EMAIL_REGEX': (1.0, 0.34)},
 'AppId': {'GUID_REGEX': (1.0, 1.0)},
 'CorrelationId': {'GUID_REGEX': (1.0, 1.0)},
 'HomeTenantId': {'GUID_REGEX': (1.0, 0.95)},
 'IPAddress': {'IPV4_REGEX': (0.95, 0.95), 'IPV6_REGEX': (0.05, 0.05)},
 'Id': {'GUID_REGEX': (1.0, 1.0)},
 'Identity': {'DNS_REGEX': (0.01, 0.01)},
 'OriginalRequestId': {'GUID_REGEX': (1.0, 1.0)},
 'Resource': {'DNS_REGEX': (1.0, 1.0)},
 'ResourceGroup': {'DNS_REGEX': (1.0, 1.0)},
 'ResourceId': {'LXPATH_REGEX': (1.0, 1.0), 'RESOURCEID_REGEX': (1.0, 1.0)},
 'ResourceIdentity': {'GUID_REGEX': (1.0, 0.94)},
 'ResourceTenantId': {'GUID_REGEX': (1.0, 1.0)},
 'SignInIdentifier': {'EMAIL_REGEX': (1.0, 0.34)},
 'TenantId': {'GUID_REGEX': (1.0, 1.0)},
 'UserDisplayName': {'DNS_REGEX': (0.01, 0.01)},
 'UserId': {'GUID_REGEX': (1.0, 1.0)},
 'UserPrincipalName': {'EMAIL_REGEX': (1.0, 1.0)}}
SecurityEvent
-------------
{'Account': {'NTACCT_REGEX': (0

In [14]:
def table_match_to_html(table_name, show_guids=False):
    """Return table column matches as HTML table."""
    if table_name not in table_regexes:
        return HTML("No data")
    
    # Create html table header
    table_html = ["<table><thead><tr><th>Column</th><th>Matches</th></tr></thead><tbody>"]

    for col, matches in table_regexes[table_name].items():
        col_html = {}
        for rgx_match, perc_match in matches.items():
            if rgx_match == "GUID_REGEX" and not show_guids:
                continue
            # Get the entity name and priority for this match
            entity_name = entity_regexes.get(rgx_match, {}).get("entity")
            regex_priority = entity_regexes.get(rgx_match, {}).get("priority", 0)
            if not entity_name:
                entity_name = rgx_match
            # Add a row for the column (using a dictionary since we later want to sort
            # based on priority)
            col_html[regex_priority] = (
                f"<b>{entity_name}</b> [p:{regex_priority}] "
                f"(matched {rgx_match} {perc_match[0] * 100:0.1f}%,  "
                f"all rows {perc_match[1] * 100:0.1f}%) "
            )
        # sort the different matches by priority
        sorted_by_pri = [value for key, value in sorted(col_html.items(), key=lambda item: item[0])]
        # join the matches with some space separators
        cols = "&nbsp;&nbsp;".join(sorted_by_pri)
        # add this as an html table row to the table list
        table_html.append(f"<tr><td><b>{col}</b></td><td>{cols}</td><tr>")
    # add a text heading
    header = "<h2>Column entities</h2>"
    # build and return the table html
    return HTML(f"{header} {''.join(table_html)}</tbody></table>")


nbwidgets.SelectItem(item_list=list(qry_prov.schema.keys()), height="300px", action=table_match_to_html)

VBox(children=(Text(value='', description='Filter:', style=DescriptionStyle(description_width='initial')), Sel…

## Modification of match_regexes function for partial (substring) matches

In [15]:
from collections import defaultdict

def match_regexes_partial(data, debug=False):
    full_matches = {}
    for col in data.columns:

        if data[col].dtype != np.dtype("O"):
            if debug:
                print(f" -- col {col} is type {data[col].dtype}. Skipping")
            continue
            
        for name, regex in entity_regexes.items():
            # strip off ^ and $ delimiters
            part_regex = re.sub(r"^\s*\^(.*)\s*\$\s*$", r"\1", regex["regex"])
            match_series = data[col].str.match(part_regex, case=False, flags=re.VERBOSE)
            
            if len(match_series) > 0:
                match_ratio = match_series.sum() / len(match_series)
                blanks_df = data[col].str.strip() == ""
                num_non_blanks = len(match_series) - blanks_df.sum()
                true_match_ratio = match_series.sum() / num_non_blanks if num_non_blanks > 0 else match_ratio
                if match_ratio > 0:
                    if col in full_matches:
                        full_matches[col][name] = true_match_ratio
                    else:
                        full_matches[col] = {}
                        full_matches[col][name] = true_match_ratio
                
        if col not in full_matches and debug:
            print(f" -- col {col} no match found")
    return full_matches

In [16]:
table_regexes_part = {}
table_regexes_part["SigninLogs"] = match_regexes_partial(signin_df)
table_regexes_part["SecurityEvent"] = match_regexes_partial(secevent_df)
table_regexes_part["OfficeActivity"] = match_regexes_partial(offact_df)
table_regexes_part["CommonSecurityLog"] = match_regexes_partial(comsec_df)

import pprint
for table, cols in table_regexes_part.items():
    print(table)
    
    print("-" * len(table))
    pprint.pprint(cols)

SigninLogs
----------
{'AADTenantId': {'GUID_REGEX': 1.0},
 'AlternateSignInName': {'EMAIL_REGEX': 1.0},
 'AppId': {'GUID_REGEX': 1.0},
 'CorrelationId': {'GUID_REGEX': 1.0},
 'HomeTenantId': {'GUID_REGEX': 1.0},
 'IPAddress': {'IPV4_REGEX': 0.95, 'IPV6_REGEX': 0.05},
 'Id': {'GUID_REGEX': 1.0},
 'Identity': {'DNS_REGEX': 0.01},
 'OriginalRequestId': {'GUID_REGEX': 1.0},
 'Resource': {'DNS_REGEX': 1.0},
 'ResourceGroup': {'DNS_REGEX': 1.0},
 'ResourceId': {'LXPATH_REGEX': 1.0, 'RESOURCEID_REGEX': 1.0},
 'ResourceIdentity': {'GUID_REGEX': 1.0},
 'ResourceTenantId': {'GUID_REGEX': 1.0},
 'SignInIdentifier': {'EMAIL_REGEX': 1.0},
 'TenantId': {'GUID_REGEX': 1.0},
 'UserDisplayName': {'DNS_REGEX': 0.01},
 'UserId': {'GUID_REGEX': 1.0},
 'UserPrincipalName': {'DNS_REGEX': 0.1, 'EMAIL_REGEX': 1.0}}
SecurityEvent
-------------
{'Account': {'DNS_REGEX': 0.010638297872340425,
             'NTACCT_REGEX': 0.723404255319149,
             'WINPATH_REGEX': 0.2765957446808511},
 'AdditionalInfo2': {

In [17]:
for table, cols in table_regexes.items():
    print(table)  
    print("-" * len(table))
    pprint.pprint(cols)

SigninLogs
----------
{'AADTenantId': {'GUID_REGEX': (1.0, 1.0)},
 'AlternateSignInName': {'EMAIL_REGEX': (1.0, 0.34)},
 'AppId': {'GUID_REGEX': (1.0, 1.0)},
 'CorrelationId': {'GUID_REGEX': (1.0, 1.0)},
 'HomeTenantId': {'GUID_REGEX': (1.0, 0.95)},
 'IPAddress': {'IPV4_REGEX': (0.95, 0.95), 'IPV6_REGEX': (0.05, 0.05)},
 'Id': {'GUID_REGEX': (1.0, 1.0)},
 'Identity': {'DNS_REGEX': (0.01, 0.01)},
 'OriginalRequestId': {'GUID_REGEX': (1.0, 1.0)},
 'Resource': {'DNS_REGEX': (1.0, 1.0)},
 'ResourceGroup': {'DNS_REGEX': (1.0, 1.0)},
 'ResourceId': {'LXPATH_REGEX': (1.0, 1.0), 'RESOURCEID_REGEX': (1.0, 1.0)},
 'ResourceIdentity': {'GUID_REGEX': (1.0, 0.94)},
 'ResourceTenantId': {'GUID_REGEX': (1.0, 1.0)},
 'SignInIdentifier': {'EMAIL_REGEX': (1.0, 0.34)},
 'TenantId': {'GUID_REGEX': (1.0, 1.0)},
 'UserDisplayName': {'DNS_REGEX': (0.01, 0.01)},
 'UserId': {'GUID_REGEX': (1.0, 1.0)},
 'UserPrincipalName': {'EMAIL_REGEX': (1.0, 1.0)}}
SecurityEvent
-------------
{'Account': {'NTACCT_REGEX': (0

In [18]:
def interpret_matches(table_match_dic):
    """For each column apply priority and match percentage logic to assign an entity to the column.
        
    Args:
        table_match_dic (Dict): Output of match_entities function. Dict showing all columns that matched one or more regexes.
    Returns:
        Dictionary: {Table: {Column: Entity}}
    """
    entity_assignments = {}
    for table, cols in table_match_dic.items():
        entity_assignments[table] = {}
        for col, matches in cols.items(): 
            highest_perc = 0
            highest_pri = 3
            isMatch = False
            for rgx_match, perc_match in matches.items():
                # Ignore GUID matches
                if rgx_match == "GUID_REGEX":
                    continue
                # Choose entity corresponding to the regex with the highest total match percentage
                # If tie, choose entity with highest priority
                # 0 has highest priority, 2 is the lowest
                isMatch = True
                regex_priority = int(entity_regexes.get(rgx_match, {}).get("priority", 0))
                if regex_priority < highest_pri:
                    highest_pri = regex_priority
                    rgx = rgx_match
                if perc_match[0] > highest_perc:
                    highest_perc = perc_match[0]
                    regex = rgx_match
                elif perc_match[0] == highest_perc:
                    regex = rgx
            if(isMatch):
                entity_name = entity_regexes.get(regex, {}).get("entity")
                entity_assignments[table][col] = entity_name

    return entity_assignments
    

In [19]:
table_entities = interpret_matches(table_regexes)

for table, cols in table_entities.items():
    print(table)
    
    print("-" * len(table))
    pprint.pprint(cols)

SigninLogs
----------
{'AlternateSignInName': 'account',
 'IPAddress': 'ipaddress',
 'Identity': 'host',
 'Resource': 'host',
 'ResourceGroup': 'host',
 'ResourceId': 'azureresource',
 'SignInIdentifier': 'account',
 'UserDisplayName': 'host',
 'UserPrincipalName': 'account'}
SecurityEvent
-------------
{'Account': 'account',
 'CallerProcessName': 'process',
 'CommandLine': 'process',
 'Computer': 'host',
 'FileHash': 'hash',
 'FilePath': 'account',
 'IpAddress': 'ipaddress',
 'MandatoryLabel': 'account',
 'NewProcessName': 'process',
 'ObjectName': 'file',
 'ParentProcessName': 'process',
 'Process': 'process',
 'ProcessName': 'process',
 'SubjectAccount': 'account',
 'SubjectUserSid': 'account',
 'TargetAccount': 'file',
 'TargetDomainName': 'host',
 'TargetSid': 'account',
 'TargetUser': 'account',
 'TargetUserSid': 'account',
 '_ResourceId': 'azureresource'}
OfficeActivity
--------------
{'ClientIP': 'ipaddress',
 'ClientIP_': 'ipaddress',
 'Client_IPAddress': 'ipaddress',
 'LogonU

In [20]:
table_entities

{'SigninLogs': {'ResourceId': 'azureresource',
  'Resource': 'host',
  'ResourceGroup': 'host',
  'Identity': 'host',
  'AlternateSignInName': 'account',
  'IPAddress': 'ipaddress',
  'UserDisplayName': 'host',
  'UserPrincipalName': 'account',
  'SignInIdentifier': 'account'},
 'SecurityEvent': {'Account': 'account',
  'Computer': 'host',
  'CallerProcessName': 'process',
  'CommandLine': 'process',
  'FileHash': 'hash',
  'FilePath': 'account',
  'IpAddress': 'ipaddress',
  'MandatoryLabel': 'account',
  'NewProcessName': 'process',
  'ObjectName': 'file',
  'ParentProcessName': 'process',
  'Process': 'process',
  'ProcessName': 'process',
  'SubjectAccount': 'account',
  'SubjectUserSid': 'account',
  'TargetAccount': 'file',
  'TargetDomainName': 'host',
  'TargetSid': 'account',
  'TargetUser': 'account',
  'TargetUserSid': 'account',
  '_ResourceId': 'azureresource'},
 'OfficeActivity': {'UserKey': 'account',
  'OfficeObjectId': 'url',
  'UserId': 'account',
  'UserId_': 'accoun

In [21]:
def create_entity_index(data):
    """Iterates through the interpreted results to create a dict keyed by entity type.

    Args:
        data (Dict): Output of interpret_matches function. Dict of column-entity mappings keyed by table and column.

    Returns:
        Dict: {entity: [(table, col)]}
    """
    entity_dict = {}
    for table, cols in data.items():
        for col, entity in cols.items():
            entity_dict[entity] = []
    for table, cols in data.items():
        for col, entity in cols.items():
            entity_dict[entity].append((table, col))
    return entity_dict

In [93]:
key_entity_dict = create_entity_index(table_entities)

import pprint
for entity, tables_cols in key_entity_dict.items():
    print(entity)
    
    print("-" * len(entity))
    pprint.pprint(tables_cols)

azureresource
-------------
[('SigninLogs', 'ResourceId'),
 ('SecurityEvent', '_ResourceId'),
 ('CommonSecurityLog', '_ResourceId')]
host
----
[('SigninLogs', 'Resource'),
 ('SigninLogs', 'ResourceGroup'),
 ('SecurityEvent', 'Computer'),
 ('SecurityEvent', 'Process'),
 ('SecurityEvent', 'TargetDomainName'),
 ('OfficeActivity', 'SourceFileName'),
 ('OfficeActivity', 'SourceFileName_'),
 ('OfficeActivity', 'DestinationFileName'),
 ('OfficeActivity', 'OrganizationName'),
 ('CommonSecurityLog', 'DestinationHostName'),
 ('CommonSecurityLog', 'DeviceCustomString5')]
account
-------
[('SigninLogs', 'AlternateSignInName'),
 ('SigninLogs', 'UserPrincipalName'),
 ('SigninLogs', 'SignInIdentifier'),
 ('SecurityEvent', 'Account'),
 ('SecurityEvent', 'FilePath'),
 ('SecurityEvent', 'MandatoryLabel'),
 ('SecurityEvent', 'SubjectAccount'),
 ('SecurityEvent', 'SubjectUserSid'),
 ('SecurityEvent', 'TargetSid'),
 ('SecurityEvent', 'TargetUser'),
 ('SecurityEvent', 'TargetUserName'),
 ('SecurityEvent', '

In [94]:
def detect_entities_random():
    """Runs the match_regexes, interpret_matches, and create_entity_index functions on three random tables in the schema by default. 

    Returns:
        [type]: [description]
    """
    output_regexes = {}

    for i in range(3):
        table, cols = qry_prov.schema.popitem()
        df = qry_prov.exec_query(f"{table} | sample 100")
        while len(df) == 0:
            table, cols = qry_prov.schema.popitem()
            df = qry_prov.exec_query(f"{table} | sample 100")
        output_regexes[table] = match_regexes(df)
    output_entities = interpret_matches(output_regexes)
    keyed_entities = create_entity_index(output_entities)
    return keyed_entities

In [95]:
entity_dict = detect_entities_random()

for entity, tables_cols in entity_dict.items():
    print(entity)
    
    print("-" * len(entity))
    pprint.pprint(tables_cols)

host
----
[('Watchlist', 'Source'),
 ('VMProcess', 'Computer'),
 ('VMProcess', 'ExecutableName'),
 ('VMProcess', 'DisplayName'),
 ('VMProcess', 'InternalName'),
 ('VMConnection', 'Computer'),
 ('VMConnection', 'ProcessName')]
account
-------
[('Watchlist', 'SearchKey')]
ipaddress
---------
[('VMProcess', 'ProductVersion'),
 ('VMProcess', 'FileVersion'),
 ('VMConnection', 'SourceIp'),
 ('VMConnection', 'DestinationIp'),
 ('VMConnection', 'RemoteIp')]
file
----
[('VMProcess', 'ExecutablePath'),
 ('VMProcess', 'CommandLine'),
 ('VMProcess', 'WorkingDirectory')]
azureresource
-------------
[('VMProcess', '_ResourceId'), ('VMConnection', '_ResourceId')]
hash
----
[('VMConnection', 'ConnectionId')]


In [111]:
def detect_entities(tables, sample_size='100'):
    """Runs the match_regexes, interpret_matches, and create_entity_index functions on selected tables in the schema. 

    Args:
        tables ([str]): Array of tables in string format that we want iterate over
        sample_size (str, optional): Number of events/rows in the table to sample. Defaults to '100'.

    Returns:
        Dict: Output of create_entity_index function. Gives table and column info in a dict keyed by entity.
    """
    output_regexes = {}

    for i in range(len(tables)):
        table = tables[i]
        df = qry_prov.exec_query(f"{table} | sample {sample_size}")
        output_regexes[table] = match_regexes(df)
    output_entities = interpret_matches(output_regexes)
    keyed_entities = create_entity_index(output_entities)
    return keyed_entities

sel_sub = nbwidgets.SelectSubset(source_items=list(qry_prov.schema.keys()))



VBox(children=(Text(value='', description='Filter:', style=DescriptionStyle(description_width='initial')), HBo…

In [116]:
res = detect_entities(sel_sub.selected_items)
for entity, tables_cols in res.items():
    print(entity)
    
    print("-" * len(entity))
    pprint.pprint(tables_cols)

host
----
[('AADManagedIdentitySignInLogs', 'ResourceGroup'),
 ('AADNonInteractiveUserSignInLogs', 'ResourceGroup'),
 ('AADServicePrincipalSignInLogs', 'ResourceGroup'),
 ('AWSCloudTrail', 'EventSource'),
 ('AWSCloudTrail', 'UserIdentityInvokedBy'),
 ('AWSCloudTrail', 'UserAgent'),
 ('Anomalies', 'DestinationDevice'),
 ('AuditLogs', 'Resource'),
 ('AuditLogs', 'ResourceGroup'),
 ('AuditLogs', 'Identity'),
 ('AzureActivity', 'ResourceProvider'),
 ('AzureActivity', 'ResourceProviderValue'),
 ('AzureActivity', 'Resource'),
 ('AzureDiagnostics', 'ResourceProvider'),
 ('AzureMetrics', 'ResourceProvider'),
 ('BehaviorAnalytics', 'DestinationDevice'),
 ('CommonSecurityLog', 'DestinationHostName'),
 ('CommonSecurityLog', 'DeviceCustomString5'),
 ('ConfigurationChange', 'Computer'),
 ('ConfigurationData', 'Computer'),
 ('ConfigurationData', 'Name'),
 ('DeviceEvents', 'DeviceName'),
 ('DeviceEvents', 'FileName'),
 ('DeviceEvents', 'InitiatingProcessCommandLine'),
 ('DeviceEvents', 'InitiatingPro

# Autogenerating queries

In [98]:
query_template = """
{table}
| where {ColumnName} == "{{MySearch}}"
"""

In [99]:
def generate_query(entity_type, search_value):
    email_queries = []
    for table, matches in table_entities.items():
        for col, entity in matches.items():
            if entity_type == entity:
                # print("found match", table, col, entity)
                query = query_template.format(table=table, ColumnName=col)
                email_queries.append(query.format(MySearch=search_value))
    return email_queries

In [100]:
queries=generate_query("account", "franmer@seccxp.ninja")
print(queries)

['\nSigninLogs\n| where AlternateSignInName == "franmer@seccxp.ninja"\n', '\nSigninLogs\n| where UserPrincipalName == "franmer@seccxp.ninja"\n', '\nSigninLogs\n| where SignInIdentifier == "franmer@seccxp.ninja"\n', '\nSecurityEvent\n| where Account == "franmer@seccxp.ninja"\n', '\nSecurityEvent\n| where FilePath == "franmer@seccxp.ninja"\n', '\nSecurityEvent\n| where MandatoryLabel == "franmer@seccxp.ninja"\n', '\nSecurityEvent\n| where SubjectAccount == "franmer@seccxp.ninja"\n', '\nSecurityEvent\n| where SubjectUserSid == "franmer@seccxp.ninja"\n', '\nSecurityEvent\n| where TargetSid == "franmer@seccxp.ninja"\n', '\nSecurityEvent\n| where TargetUser == "franmer@seccxp.ninja"\n', '\nSecurityEvent\n| where TargetUserName == "franmer@seccxp.ninja"\n', '\nSecurityEvent\n| where TargetUserSid == "franmer@seccxp.ninja"\n', '\nOfficeActivity\n| where UserKey == "franmer@seccxp.ninja"\n', '\nOfficeActivity\n| where UserId == "franmer@seccxp.ninja"\n', '\nOfficeActivity\n| where UserId_ == "f

In [101]:
for query in queries:
    query_result=qry_prov.exec_query(query)
    if len(query_result) > 0:
        print(query)
        print("-" * len(query))
        display(query_result)


SigninLogs
| where AlternateSignInName == "franmer@seccxp.ninja"

------------------------------------------------------------------


Unnamed: 0,TenantId,SourceSystem,TimeGenerated,ResourceId,OperationName,OperationVersion,Category,ResultType,ResultSignature,ResultDescription,DurationMs,CorrelationId,Resource,ResourceGroup,ResourceProvider,Identity,Level,Location,AlternateSignInName,AppDisplayName,AppId,AuthenticationDetails,AuthenticationMethodsUsed,AuthenticationProcessingDetails,AuthenticationRequirement,...,RiskEventTypes,RiskEventTypes_V2,RiskLevelAggregated,RiskLevelDuringSignIn,RiskState,ResourceDisplayName,ResourceIdentity,ServicePrincipalId,ServicePrincipalName,Status,TokenIssuerName,TokenIssuerType,UserAgent,UserDisplayName,UserId,UserPrincipalName,AADTenantId,UserType,FlaggedForReview,IPAddressFromResourceProvider,SignInIdentifier,SignInIdentifierType,ResourceTenantId,HomeTenantId,Type
0,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-05-12 13:37:19.072000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,50140,,This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.,0,59d7867f-f362-4028-870e-73af4abfb988,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-05-12T13:37:19.0721742+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{'errorCode': 50140, 'failureReason': 'This error occurred due to 'Keep me signed in' interrupt ...",,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.443...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
1,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-05-12 13:37:22.209000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,59d7867f-f362-4028-870e-73af4abfb988,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,[],,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,{'errorCode': 0},,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.443...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
2,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-05-13 03:12:13.053000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,746330c1-7f0f-47bb-a376-7d3f34d54b14,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Microsoft Azure Purview Studio,632d803a-b0c2-49b4-a944-e13c384c04a8,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-05-13T03:12:13.0536914+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,{'errorCode': 0},,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.443...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
3,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-05-13 12:31:29.277000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,50140,,This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.,0,8786d458-9614-4a31-bede-6477af555759,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-05-13T12:31:29.2777075+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{'errorCode': 50140, 'failureReason': 'This error occurred due to 'Keep me signed in' interrupt ...",,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.443...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
4,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-05-13 12:31:31.528000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,8786d458-9614-4a31-bede-6477af555759,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,[],,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,{'errorCode': 0},,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.443...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
137,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-05-14 13:23:58.922000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,50140,,This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.,0,1ec7c6f9-8a0c-4eb8-ae26-228ab2dd4609,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-05-14T13:23:58.9224812+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{'errorCode': 50140, 'failureReason': 'This error occurred due to 'Keep me signed in' interrupt ...",,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.443...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
138,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-05-14 13:24:01.106000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,1ec7c6f9-8a0c-4eb8-ae26-228ab2dd4609,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,[],,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,{'errorCode': 0},,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.443...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
139,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-05-14 13:29:01.469000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,7f2f4605-4139-4cdb-ac2c-e134a6ad4ed8,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Azure SQL Database and Data Warehouse,a94f9c62-97fe-4d19-b06d-472bed8d2bcf,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-05-14T13:29:01.4691263+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""Login Hint Present"",\r\n ""value"": ""True""\r\n },\r\n {\r\n ""key"":...",singleFactorAuthentication,...,[],[],none,none,none,Azure SQL Database,022907d3-0f1b-48f7-badc-1ba6abab6d66,,,{'errorCode': 0},,AzureAD,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET...,Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
140,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-05-15 01:43:38.296000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,50140,,This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.,0,6906a756-0e83-44e6-bb52-692bc385839e,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Microsoft Azure Purview Studio,632d803a-b0c2-49b4-a944-e13c384c04a8,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-05-15T01:43:38.2960224+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{'errorCode': 50140, 'failureReason': 'This error occurred due to 'Keep me signed in' interrupt ...",,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.443...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs



SigninLogs
| where UserPrincipalName == "franmer@seccxp.ninja"

----------------------------------------------------------------


Unnamed: 0,TenantId,SourceSystem,TimeGenerated,ResourceId,OperationName,OperationVersion,Category,ResultType,ResultSignature,ResultDescription,DurationMs,CorrelationId,Resource,ResourceGroup,ResourceProvider,Identity,Level,Location,AlternateSignInName,AppDisplayName,AppId,AuthenticationDetails,AuthenticationMethodsUsed,AuthenticationProcessingDetails,AuthenticationRequirement,...,RiskEventTypes,RiskEventTypes_V2,RiskLevelAggregated,RiskLevelDuringSignIn,RiskState,ResourceDisplayName,ResourceIdentity,ServicePrincipalId,ServicePrincipalName,Status,TokenIssuerName,TokenIssuerType,UserAgent,UserDisplayName,UserId,UserPrincipalName,AADTenantId,UserType,FlaggedForReview,IPAddressFromResourceProvider,SignInIdentifier,SignInIdentifierType,ResourceTenantId,HomeTenantId,Type
0,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-06-29 13:37:47.856000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,5c8a319d-e1f7-467a-8e07-adc263145b4e,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,,Azure Data Factory,16f9b8e9-d20b-45a1-ab9e-db2e8254508b,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-06-29T13:37:47.8562775+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""Login Hint Present"",\r\n ""value"": ""True""\r\n },\r\n {\r\n ""key"":...",singleFactorAuthentication,...,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,{'errorCode': 0},,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.447...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
1,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-06-29 13:38:28.260000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,41491a5f-42f5-4ecb-9b8f-31d89722d70e,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,,Azure Data Factory,16f9b8e9-d20b-45a1-ab9e-db2e8254508b,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-06-29T13:38:28.2601213+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""Login Hint Present"",\r\n ""value"": ""True""\r\n },\r\n {\r\n ""key"":...",singleFactorAuthentication,...,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,{'errorCode': 0},,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.447...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
2,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-06-29 13:37:23.690000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,25af9e45-596d-44da-95a1-c700bbb02ce3,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,[],,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,{'errorCode': 0},,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.447...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
3,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-06-29 13:37:48.290000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,25af9e45-596d-44da-95a1-c700bbb02ce3,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-06-29T13:37:48.2902509+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,{'errorCode': 0},,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.447...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
4,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-06-29 14:40:31.381000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,9a8837a3-8e38-4b9b-bb89-f5088794f74d,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,,Azure Data Factory,16f9b8e9-d20b-45a1-ab9e-db2e8254508b,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-06-29T14:40:31.3816461+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""Login Hint Present"",\r\n ""value"": ""True""\r\n },\r\n {\r\n ""key"":...",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,{'errorCode': 0},,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.447...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
490,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-06-05 11:57:17.467000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,50140,,This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.,0,d03c1691-4cb2-4400-ae30-6c9137217e25,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-06-05T11:57:17.4677003+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{'errorCode': 50140, 'failureReason': 'This error occurred due to 'Keep me signed in' interrupt ...",,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.447...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
491,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-06-05 12:45:47.068000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,96beb12d-c6df-4590-a7fd-ab1d5d3f4693,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,,Microsoft Power BI,871c010f-5e61-4fb1-83ac-98610a7e9110,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-06-05T12:45:47.0680577+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Power BI Service,00000009-0000-0000-c000-000000000000,,,{'errorCode': 0},,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.447...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
492,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-06-05 12:53:18.166000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,ce5d7c59-7522-4b56-af9f-6355414bdad6,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,,Microsoft Azure Purview Studio,632d803a-b0c2-49b4-a944-e13c384c04a8,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-06-05T12:53:18.166953+00:00"",\r\n ""authen...",,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,{'errorCode': 0},,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.447...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
493,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-06-05 11:57:20.114000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,d03c1691-4cb2-4400-ae30-6c9137217e25,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,[],,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,{'errorCode': 0},,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.447...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs



SigninLogs
| where SignInIdentifier == "franmer@seccxp.ninja"

---------------------------------------------------------------


Unnamed: 0,TenantId,SourceSystem,TimeGenerated,ResourceId,OperationName,OperationVersion,Category,ResultType,ResultSignature,ResultDescription,DurationMs,CorrelationId,Resource,ResourceGroup,ResourceProvider,Identity,Level,Location,AlternateSignInName,AppDisplayName,AppId,AuthenticationDetails,AuthenticationMethodsUsed,AuthenticationProcessingDetails,AuthenticationRequirement,...,RiskEventTypes,RiskEventTypes_V2,RiskLevelAggregated,RiskLevelDuringSignIn,RiskState,ResourceDisplayName,ResourceIdentity,ServicePrincipalId,ServicePrincipalName,Status,TokenIssuerName,TokenIssuerType,UserAgent,UserDisplayName,UserId,UserPrincipalName,AADTenantId,UserType,FlaggedForReview,IPAddressFromResourceProvider,SignInIdentifier,SignInIdentifierType,ResourceTenantId,HomeTenantId,Type
0,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-05-20 12:55:28.712000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,e69e9d7c-fbd4-467d-8654-033899afcbcd,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,[],,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,{'errorCode': 0},,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.443...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
1,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-05-20 12:55:20.632000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,50126,,Invalid username or password or Invalid on-premise username or password.,0,e69e9d7c-fbd4-467d-8654-033899afcbcd,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-05-20T12:55:20.6324101+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{'errorCode': 50126, 'failureReason': 'Invalid username or password or Invalid on-premise userna...",,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.443...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
2,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-05-20 12:55:26.297000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,50140,,This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.,0,e69e9d7c-fbd4-467d-8654-033899afcbcd,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-05-20T12:55:26.2971052+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{'errorCode': 50140, 'failureReason': 'This error occurred due to 'Keep me signed in' interrupt ...",,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.443...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
3,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-05-20 12:55:14.927000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,50126,,Invalid username or password or Invalid on-premise username or password.,0,e69e9d7c-fbd4-467d-8654-033899afcbcd,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-05-20T12:55:14.9279327+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{'errorCode': 50126, 'failureReason': 'Invalid username or password or Invalid on-premise userna...",,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.443...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
4,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-05-20 19:25:14.679000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,50140,,This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.,0,c86b6d27-db02-419f-8455-ef6ebf68bf77,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-05-20T19:25:14.6792504+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{'errorCode': 50140, 'failureReason': 'This error occurred due to 'Keep me signed in' interrupt ...",,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.443...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
137,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-05-17 21:24:16.866000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,a0cfa3da-8f6c-43ba-8ff7-454126f09942,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Azure SQL Database and Data Warehouse,a94f9c62-97fe-4d19-b06d-472bed8d2bcf,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-05-17T21:24:16.8663862+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""Login Hint Present"",\r\n ""value"": ""True""\r\n },\r\n {\r\n ""key"":...",singleFactorAuthentication,...,[],[],none,none,none,Azure SQL Database,022907d3-0f1b-48f7-badc-1ba6abab6d66,,,{'errorCode': 0},,AzureAD,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET...,Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
138,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-05-17 21:24:10.126000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,50126,,Invalid username or password or Invalid on-premise username or password.,0,a0cfa3da-8f6c-43ba-8ff7-454126f09942,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Azure SQL Database and Data Warehouse,a94f9c62-97fe-4d19-b06d-472bed8d2bcf,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-05-17T21:24:10.1262811+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""Login Hint Present"",\r\n ""value"": ""True""\r\n },\r\n {\r\n ""key"":...",singleFactorAuthentication,...,[],[],none,none,none,Azure SQL Database,022907d3-0f1b-48f7-badc-1ba6abab6d66,,,"{'errorCode': 50126, 'failureReason': 'Invalid username or password or Invalid on-premise userna...",,AzureAD,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET...,Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
139,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-05-17 13:46:25.505000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,0,,,0,d477191d-9076-4cda-9d37-58cc64eed3c4,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,[],,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,{'errorCode': 0},,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.443...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs
140,8ecf8077-cf51-4820-aadd-14040956f35d,Azure AD,2021-05-17 13:46:22.484000+00:00,/tenants/4b2462a4-bbee-495a-a0e1-f23ae524cc9c/providers/Microsoft.aadiam,Sign-in activity,1.0,SignInLogs,50140,,This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.,0,d477191d-9076-4cda-9d37-58cc64eed3c4,Microsoft.aadiam,Microsoft.aadiam,,Franck Mercier,4,CA,franmer@seccxp.ninja,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[\r\n {\r\n ""authenticationStepDateTime"": ""2021-05-17T13:46:22.4843597+00:00"",\r\n ""authe...",,"[\r\n {\r\n ""key"": ""IsCAEToken"",\r\n ""value"": ""False""\r\n }\r\n]",singleFactorAuthentication,...,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{'errorCode': 50140, 'failureReason': 'This error occurred due to 'Keep me signed in' interrupt ...",,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.443...",Franck Mercier,88ef73a2-66fd-465a-a935-3d2fbbadf2df,franmer@seccxp.ninja,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Member,,,franmer@seccxp.ninja,,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,SigninLogs



OfficeActivity
| where UserId == "franmer@seccxp.ninja"

---------------------------------------------------------


Unnamed: 0,TenantId,Application,UserDomain,UserAgent,RecordType,TimeGenerated,Operation,OrganizationId,OrganizationId_,UserType,UserKey,OfficeWorkload,ResultStatus,ResultReasonType,OfficeObjectId,UserId,UserId_,ClientIP,ClientIP_,Scope,Site_,ItemType,EventSource,Source_Name,MachineDomainInfo,...,ChannelType,ChannelName,ChannelGuid,ExtraProperties,AddOnType,AddonName,TabType,Name,OldValue,NewValue,ItemName,ChatThreadId,ChatName,CommunicationType,AADGroupId,AddOnGuid,AppDistributionMode,TargetUserId,OperationScope,AzureADAppId,OperationProperties,AppId,ClientAppId,Type,_ResourceId
0,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-22 13:32:18+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",5a2ee4c5-13b8-465b-88d7-75ecf16830ad,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
1,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-20 15:06:46+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",5a2ee4c5-13b8-465b-88d7-75ecf16830ad,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
2,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-21 00:34:27+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",8a18aa92-0a1e-4e06-abd0-e118fa4787b1,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
3,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-20 00:29:21+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",8a18aa92-0a1e-4e06-abd0-e118fa4787b1,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
4,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-20 07:42:12+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",7a5fbd1c-3e6d-461a-9075-83049393b3a7,7a5fbd1c-3e6d-461a-9075-83049393b3a7,OfficeActivity,
5,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-03 10:50:27+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",7a5fbd1c-3e6d-461a-9075-83049393b3a7,7a5fbd1c-3e6d-461a-9075-83049393b3a7,OfficeActivity,
6,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-05 17:33:13+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",5a2ee4c5-13b8-465b-88d7-75ecf16830ad,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
7,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-05-16 16:00:36+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",b6e65498-8dce-4d57-8de9-1269fcfcf6ce,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
8,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-05-17 20:47:22+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",b6e65498-8dce-4d57-8de9-1269fcfcf6ce,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
9,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-05-17 12:14:04+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",8a18aa92-0a1e-4e06-abd0-e118fa4787b1,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,



OfficeActivity
| where UserId_ == "franmer@seccxp.ninja"

----------------------------------------------------------


Unnamed: 0,TenantId,Application,UserDomain,UserAgent,RecordType,TimeGenerated,Operation,OrganizationId,OrganizationId_,UserType,UserKey,OfficeWorkload,ResultStatus,ResultReasonType,OfficeObjectId,UserId,UserId_,ClientIP,ClientIP_,Scope,Site_,ItemType,EventSource,Source_Name,MachineDomainInfo,...,ChannelType,ChannelName,ChannelGuid,ExtraProperties,AddOnType,AddonName,TabType,Name,OldValue,NewValue,ItemName,ChatThreadId,ChatName,CommunicationType,AADGroupId,AddOnGuid,AppDistributionMode,TargetUserId,OperationScope,AzureADAppId,OperationProperties,AppId,ClientAppId,Type,_ResourceId
0,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-20 15:06:46+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",5a2ee4c5-13b8-465b-88d7-75ecf16830ad,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
1,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-21 00:34:27+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",8a18aa92-0a1e-4e06-abd0-e118fa4787b1,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
2,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-20 00:29:21+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",8a18aa92-0a1e-4e06-abd0-e118fa4787b1,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
3,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-20 07:42:12+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",7a5fbd1c-3e6d-461a-9075-83049393b3a7,7a5fbd1c-3e6d-461a-9075-83049393b3a7,OfficeActivity,
4,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-03 10:50:27+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",7a5fbd1c-3e6d-461a-9075-83049393b3a7,7a5fbd1c-3e6d-461a-9075-83049393b3a7,OfficeActivity,
5,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-22 13:32:18+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",5a2ee4c5-13b8-465b-88d7-75ecf16830ad,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
6,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-05-16 16:00:36+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",b6e65498-8dce-4d57-8de9-1269fcfcf6ce,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
7,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-05-17 20:47:22+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",b6e65498-8dce-4d57-8de9-1269fcfcf6ce,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
8,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-05-17 12:14:04+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",8a18aa92-0a1e-4e06-abd0-e118fa4787b1,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
9,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-05-17 21:47:51+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",f3f64fec-ecee-4e9a-9eed-a36a5e421300,f3f64fec-ecee-4e9a-9eed-a36a5e421300,OfficeActivity,



OfficeActivity
| where MailboxOwnerUPN == "franmer@seccxp.ninja"

------------------------------------------------------------------


Unnamed: 0,TenantId,Application,UserDomain,UserAgent,RecordType,TimeGenerated,Operation,OrganizationId,OrganizationId_,UserType,UserKey,OfficeWorkload,ResultStatus,ResultReasonType,OfficeObjectId,UserId,UserId_,ClientIP,ClientIP_,Scope,Site_,ItemType,EventSource,Source_Name,MachineDomainInfo,...,ChannelType,ChannelName,ChannelGuid,ExtraProperties,AddOnType,AddonName,TabType,Name,OldValue,NewValue,ItemName,ChatThreadId,ChatName,CommunicationType,AADGroupId,AddOnGuid,AppDistributionMode,TargetUserId,OperationScope,AzureADAppId,OperationProperties,AppId,ClientAppId,Type,_ResourceId
0,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-18 08:35:51+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",7a5fbd1c-3e6d-461a-9075-83049393b3a7,7a5fbd1c-3e6d-461a-9075-83049393b3a7,OfficeActivity,
1,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-18 00:56:26+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",8a18aa92-0a1e-4e06-abd0-e118fa4787b1,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
2,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-19 00:41:19+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",8a18aa92-0a1e-4e06-abd0-e118fa4787b1,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
3,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-19 07:39:11+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",7a5fbd1c-3e6d-461a-9075-83049393b3a7,7a5fbd1c-3e6d-461a-9075-83049393b3a7,OfficeActivity,
4,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-20 15:06:46+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",5a2ee4c5-13b8-465b-88d7-75ecf16830ad,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
5,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-21 00:34:27+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",8a18aa92-0a1e-4e06-abd0-e118fa4787b1,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
6,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-20 00:29:21+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",8a18aa92-0a1e-4e06-abd0-e118fa4787b1,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
7,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-06-20 07:42:12+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",7a5fbd1c-3e6d-461a-9075-83049393b3a7,7a5fbd1c-3e6d-461a-9075-83049393b3a7,OfficeActivity,
8,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-05-13 01:10:08+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",5a2ee4c5-13b8-465b-88d7-75ecf16830ad,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
9,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-05-19 03:29:15+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,10032001141FDD3D,Exchange,Succeeded,Succeeded,,franmer@seccxp.ninja,franmer@seccxp.ninja,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",f3f64fec-ecee-4e9a-9eed-a36a5e421300,f3f64fec-ecee-4e9a-9eed-a36a5e421300,OfficeActivity,
