Data Source: O365 Consent to application.

Data source object for O365 Consent to application.

Property Value
Source o365
Sourcetype o365:management:activity
Separator Operation
+ Fields

            1
            _time
          
            3
            ActorContextId
          
            5
            Actor{}.ID
          
            7
            Actor{}.Type
          
            9
            AzureActiveDirectoryEventType
          
            11
            CreationTime
          
            13
            ExtendedProperties{}.Name
          
            15
            ExtendedProperties{}.Value
          
            17
            Id
          
            19
            InterSystemsId
          
            21
            IntraSystemId
          
            23
            ModifiedProperties{}.Name
          
            25
            ModifiedProperties{}.NewValue
          
            27
            ModifiedProperties{}.OldValue
          
            29
            ObjectId
          
            31
            Operation
          
            33
            OrganizationId
          
            35
            RecordType
          
            37
            ResultStatus
          
            39
            SupportTicketId
          
            41
            TargetContextId
          
            43
            Target{}.ID
          
            45
            Target{}.Type
          
            47
            UserId
          
            49
            UserKey
          
            51
            UserType
          
            53
            Version
          
            55
            Workload
          
            57
            additionalDetails
          
            59
            app
          
            61
            authentication_service
          
            63
            command
          
            65
            date_hour
          
            67
            date_mday
          
            69
            date_minute
          
            71
            date_month
          
            73
            date_second
          
            75
            date_wday
          
            77
            date_year
          
            79
            date_zone
          
            81
            dest
          
            83
            dest_name
          
            85
            dvc
          
            87
            event_type
          
            89
            extendedAuditEventCategory
          
            91
            host
          
            93
            index
          
            95
            linecount
          
            97
            object
          
            99
            punct
          
            101
            record_type
          
            103
            signature
          
            105
            source
          
            107
            sourcetype
          
            109
            splunk_server
          
            111
            status
          
            113
            timeendpos
          
            115
            timestartpos
          
            117
            user
          
            119
            user_agent
          
            121
            user_agent_change
          
            123
            user_id
          
            125
            user_type
          
            127
            vendor_account
          
            129
            vendor_product
          
            131
            
          
...
not set
1{"CreationTime": "2023-09-05T21:05:31", "Id": "5822e126-1fbc-4269-9ad6-4c1879cdbcf3", "Operation": "Consent to application.", "OrganizationId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "95106c0e-3519-450e-8e38-7f326d873454", "UserId": "attacker@contoso.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\",\"AppId\":\"95106c0e-3519-450e-8e38-7f326d873454\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "NewValue": "True", "OldValue": ""}, {"Name": "ConsentContext.IsAppOnly", "NewValue": "False", "OldValue": ""}, {"Name": "ConsentContext.OnBehalfOfAll", "NewValue": "True", "OldValue": ""}, {"Name": "ConsentContext.Tags", "NewValue": "", "OldValue": ""}, {"Name": "ConsentAction.Permissions", "NewValue": "[] => [[Id: r2KtIS6Zn0q2wWeqbIputLSZcc5Sj_NGtUtP2B3pYeI, ClientId: 21ad62af-992e-4a9f-b6c1-67aa6c8a6eb4, PrincipalId: , ResourceId: ce7199b4-8f52-46f3-b54b-4fd81de961e2, ConsentType: AllPrincipals, Scope: User.Read, CreatedDateTime: , LastModifiedDateTime ]]; ", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "95106c0e-3519-450e-8e38-7f326d873454", "OldValue": ""}], "Actor": [{"ID": "attacker@contoso.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5", "InterSystemsId": "e0fb6206-12db-4fdf-bf52-699b254124d3", "IntraSystemId": "897d35e6-e2dc-455e-ba65-e6d58adae01f", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_21ad62af-992e-4a9f-b6c1-67aa6c8a6eb4", "Type": 2}, {"ID": "21ad62af-992e-4a9f-b6c1-67aa6c8a6eb4", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "TestApp2", "Type": 1}, {"ID": "95106c0e-3519-450e-8e38-7f326d873454", "Type": 2}, {"ID": "95106c0e-3519-450e-8e38-7f326d873454", "Type": 4}], "TargetContextId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5"}

Source: GitHub | Version: 1