From 8bdacbaa81c60cff95f484d6b00c48932d7c15ba Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" <99295792+sekoia-io-cross-repo-comm-app[bot]@users.noreply.github.com> Date: Sun, 12 May 2024 22:06:30 +0000 Subject: [PATCH] Refresh intakes documentation --- .../07c0cac8-f68f-11ea-adc1-0242ac120002.md | 95 +- .../5702ae4e-7d8a-455f-a47b-ef64dd87c981.md | 7 - .../ae62a8c4-11f8-4aea-af5b-6968f8ac04ba.md | 3175 +++++++++++++++++ .../d3a813ac-f9b5-451c-a602-a5994544d9ed.md | 253 +- 4 files changed, 3209 insertions(+), 321 deletions(-) create mode 100644 _shared_content/operations_center/integrations/generated/ae62a8c4-11f8-4aea-af5b-6968f8ac04ba.md diff --git a/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md b/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md index 7dc84e82e3..872d44bb89 100644 --- a/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md +++ b/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md @@ -38,16 +38,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2 424805057484 eni-0f06a40fc9be596f6 212.83.179.156 10.0.0.96 123 123 17 2 152 1599665193 1599665488 ACCEPT OK", "event": { - "action": "accept", "category": [ "network" ], "end": "2020-09-09T15:31:28Z", "outcome": "ok", - "start": "2020-09-09T15:26:33Z", - "type": [ - "allowed" - ] + "start": "2020-09-09T15:26:33Z" }, "@timestamp": "2020-09-09T15:26:33Z", "action": { @@ -60,10 +56,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "account": { "id": "424805057484" }, - "provider": "aws", - "service": { - "name": "vpc" - } + "provider": "aws" }, "destination": { "address": "10.0.0.96", @@ -93,9 +86,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "212.83.179.156", "packets": 2, "port": 123 - }, - "user": { - "id": "424805057484" } } @@ -109,16 +99,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"version\":2,\"account_id\":\"424805057484\",\"interface_id\":\"eni-0f06a40fc9be596f6\",\"srcaddr\":\"5.6.7.8\",\"dstaddr\":\"1.2.3.4\",\"srcport\":4712,\"dstport\":53205,\"protocol\":6,\"packets\":12,\"bytes\":2610,\"start\":1661950735,\"end\":1661950746,\"action\":\"ACCEPT\",\"log_status\":\"OK\"}\n", "event": { - "action": "accept", "category": [ "network" ], "end": "2022-08-31T12:59:06Z", "outcome": "ok", - "start": "2022-08-31T12:58:55Z", - "type": [ - "allowed" - ] + "start": "2022-08-31T12:58:55Z" }, "@timestamp": "2022-08-31T12:58:55Z", "action": { @@ -131,10 +117,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "account": { "id": "424805057484" }, - "provider": "aws", - "service": { - "name": "vpc" - } + "provider": "aws" }, "destination": { "address": "1.2.3.4", @@ -164,9 +147,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "5.6.7.8", "packets": 12, "port": 4712 - }, - "user": { - "id": "424805057484" } } @@ -180,16 +160,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "5 424805057484 eni-1235b8ca123456789 52.95.128.179 10.0.0.71 46945 53 17 1 73 1658131186 1658131216 ACCEPT OK vpc-abcdefab012345678 subnet-aaaaaaaa012345678 - 0 IPv4 52.95.128.179 10.0.0.71 eu-west-1 euw1-az3 - - - - egress 8", "event": { - "action": "accept", "category": [ "network" ], "end": "2022-07-18T08:00:16Z", "outcome": "ok", - "start": "2022-07-18T07:59:46Z", - "type": [ - "allowed" - ] + "start": "2022-07-18T07:59:46Z" }, "@timestamp": "2022-07-18T07:59:46Z", "action": { @@ -202,10 +178,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "account": { "id": "424805057484" }, - "provider": "aws", - "service": { - "name": "vpc" - } + "provider": "aws" }, "destination": { "address": "10.0.0.71", @@ -235,9 +208,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "52.95.128.179", "packets": 1, "port": 46945 - }, - "user": { - "id": "424805057484" } } @@ -251,16 +221,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2 123456789010 eni-1235b8ca123456789 2001:db8:1234:a100:8d6e:3477:df66:f105 2001:db8:1234:a102:3304:8879:34cf:4071 34892 22 6 54 8855 1477913708 1477913820 ACCEPT OK", "event": { - "action": "accept", "category": [ "network" ], "end": "2016-10-31T11:37:00Z", "outcome": "ok", - "start": "2016-10-31T11:35:08Z", - "type": [ - "allowed" - ] + "start": "2016-10-31T11:35:08Z" }, "@timestamp": "2016-10-31T11:35:08Z", "action": { @@ -273,10 +239,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "account": { "id": "123456789010" }, - "provider": "aws", - "service": { - "name": "vpc" - } + "provider": "aws" }, "destination": { "address": "2001:db8:1234:a102:3304:8879:34cf:4071", @@ -306,9 +269,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "2001:db8:1234:a100:8d6e:3477:df66:f105", "packets": 54, "port": 34892 - }, - "user": { - "id": "123456789010" } } @@ -338,10 +298,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "account": { "id": "123456789010" }, - "provider": "aws", - "service": { - "name": "vpc" - } + "provider": "aws" }, "observer": { "ingress": { @@ -349,9 +306,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "eni-1235b8ca123456789" } } - }, - "user": { - "id": "123456789010" } } @@ -365,16 +319,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2 424805057484 eni-0f06a40fc9be596f6 195.14.170.50 10.0.0.96 53996 20248 6 1 40 1599665374 1599665428 REJECT OK", "event": { - "action": "reject", "category": [ "network" ], "end": "2020-09-09T15:30:28Z", "outcome": "ok", - "start": "2020-09-09T15:29:34Z", - "type": [ - "denied" - ] + "start": "2020-09-09T15:29:34Z" }, "@timestamp": "2020-09-09T15:29:34Z", "action": { @@ -387,10 +337,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "account": { "id": "424805057484" }, - "provider": "aws", - "service": { - "name": "vpc" - } + "provider": "aws" }, "destination": { "address": "10.0.0.96", @@ -420,9 +367,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "195.14.170.50", "packets": 1, "port": 53996 - }, - "user": { - "id": "424805057484" } } @@ -436,16 +380,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"version\":2,\"account_id\":\"424805057484\",\"interface_id\":\"eni-0f06a40fc9be596f6\",\"srcaddr\":\"1.2.3.4\",\"dstaddr\":\"5.6.7.8\",\"srcport\":53094,\"dstport\":2323,\"protocol\":6,\"packets\":1,\"bytes\":40,\"start\":1661950735,\"end\":1661950746,\"action\":\"REJECT\",\"log_status\":\"OK\"}\n", "event": { - "action": "reject", "category": [ "network" ], "end": "2022-08-31T12:59:06Z", "outcome": "ok", - "start": "2022-08-31T12:58:55Z", - "type": [ - "denied" - ] + "start": "2022-08-31T12:58:55Z" }, "@timestamp": "2022-08-31T12:58:55Z", "action": { @@ -458,10 +398,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "account": { "id": "424805057484" }, - "provider": "aws", - "service": { - "name": "vpc" - } + "provider": "aws" }, "destination": { "address": "5.6.7.8", @@ -491,9 +428,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "1.2.3.4", "packets": 1, "port": 53094 - }, - "user": { - "id": "424805057484" } } @@ -516,10 +450,8 @@ The following table lists the fields that are extracted, normalized under the EC |`action.type` | `keyword` | The type of the action | |`cloud.account.id` | `keyword` | The cloud account or organization id. | |`cloud.provider` | `keyword` | Name of the cloud provider. | -|`cloud.service.name` | `keyword` | The cloud service name. | |`destination.ip` | `ip` | IP address of the destination. | |`destination.port` | `long` | Port of the destination. | -|`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | |`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | @@ -529,5 +461,4 @@ The following table lists the fields that are extracted, normalized under the EC |`source.ip` | `ip` | IP address of the source. | |`source.packets` | `long` | Packets sent from the source to the destination. | |`source.port` | `long` | Port of the source. | -|`user.id` | `keyword` | Unique identifier of the user. | diff --git a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md index 2445795cdf..9ac0238313 100644 --- a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md +++ b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "@timestamp": "2021-11-23T15:35:08.541882Z", "action": { "outcome_reason": "Configuration is changed in the admin session", - "target": "network-traffic", "type": "system" }, "log": { @@ -658,7 +657,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "roll-log", "outcome": "success", "outcome_reason": "Disk log has rolled.", - "target": "network-traffic", "type": "system" }, "fortinet": { @@ -2280,7 +2278,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "login", "outcome": "failed", "outcome_reason": "Login disabled from IP 1.1.1.1 for 60 seconds because of 3 bad attempts", - "target": "network-traffic", "type": "system" }, "log": { @@ -2315,7 +2312,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "ssl-new-con", "outcome": "success", "outcome_reason": "SSL new connection", - "target": "network-traffic", "type": "vpn" }, "destination": { @@ -3523,7 +3519,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "CRL_1", "outcome": "success", "outcome_reason": "A certificate is updated", - "target": "network-traffic", "type": "vpn" }, "fortinet": { @@ -3581,7 +3576,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "ssl-login-fail", "outcome": "success", "outcome_reason": "SSL user failed to logged in", - "target": "network-traffic", "type": "vpn" }, "fortinet": { @@ -3651,7 +3645,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "ssl-login-fail", "outcome": "success", "outcome_reason": "SSL user failed to logged in", - "target": "network-traffic", "type": "vpn" }, "fortinet": { diff --git a/_shared_content/operations_center/integrations/generated/ae62a8c4-11f8-4aea-af5b-6968f8ac04ba.md b/_shared_content/operations_center/integrations/generated/ae62a8c4-11f8-4aea-af5b-6968f8ac04ba.md new file mode 100644 index 0000000000..c698d8af1a --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/ae62a8c4-11f8-4aea-af5b-6968f8ac04ba.md @@ -0,0 +1,3175 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Application logs` | Key Vault events are analyzed in detail | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `` | +| Category | `database` | +| Type | `access` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "test_event_certificate_create.json" + + ```json + + { + "message": "{\"time\": \"2024-04-03T14:03:10.7886260Z\", \"category\": \"AuditEvent\", \"operationName\": \"CertificateCreate\", \"resultType\": \"Success\", \"correlationId\": \"1216de2d-b866-4950-983f-46775e7fe659\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/certificates/fdfdffffd\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 202, \"requestUri\": \"https://testpermissionvault.vault.azure.net/certificates/fdfdffffd/create?api-version=7.0\", \"isAccessPolicyMatch\": true, \"certificateProperties\": {\"attributes\": {\"enabled\": true}}, \"certificatePolicyProperties\": {\"certificateProperties\": {\"subject\": \"CN=GHEG FFF\", \"validityInMonths\": 12}, \"keyProperties\": {\"type\": \"RSA\", \"size\": 2048, \"reuse\": false, \"export\": true}, \"secretProperties\": {\"type\": \"application/x-pkcs12\"}, \"certificateIssuerProperties\": {\"name\": \"Self\"}, \"attributes\": {\"enabled\": true}}, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.0\", \"resultSignature\": \"Accepted\", \"durationMs\": \"575\"}", + "event": { + "action": "CertificateCreate", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-03T14:03:10.788626Z", + "azure": { + "key_vault": { + "correlation_id": "1216de2d-b866-4950-983f-46775e7fe659", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "certificateIssuerProperties": { + "name": "Self" + }, + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/certificates/fdfdffffd", + "isAccessPolicyMatch": true, + "keyProperties": { + "type": "RSA" + } + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "Accepted", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 202 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/certificates/fdfdffffd/create?api-version=7.0", + "path": "/certificates/fdfdffffd/create", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_certificate_import.json" + + ```json + + { + "message": "{\"time\": \"2024-04-08T15:10:25.2996345Z\", \"category\": \"AuditEvent\", \"operationName\": \"CertificateImport\", \"resultType\": \"Success\", \"resultDescription\": \"Private key is not specified in the specified X.509 PEM certificate content. Please specify private key in the X.509 PEM certificate content.\", \"correlationId\": \"1de288da-53e4-4563-8b1a-626cbf008d8d\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXXXXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.152.109\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://myright3.vault.azure.net/certificates/mycertiii\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 400, \"requestUri\": \"https://myright3.vault.azure.net/certificates/mycertiii/import?api-version=7.0\", \"isAccessPolicyMatch\": true, \"certificatePolicyProperties\": {\"secretProperties\": {\"type\": \"application/x-pem-file\"}}, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/MYRIGHT3\", \"operationVersion\": \"7.0\", \"resultSignature\": \"Bad Request\", \"durationMs\": \"16\"}", + "event": { + "action": "CertificateImport", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-08T15:10:25.299634Z", + "azure": { + "key_vault": { + "correlation_id": "1de288da-53e4-4563-8b1a-626cbf008d8d", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.152.109", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXXXXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://myright3.vault.azure.net/certificates/mycertiii", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/MYRIGHT3", + "result": { + "description": "Private key is not specified in the specified X.509 PEM certificate content. Please specify private key in the X.509 PEM certificate content.", + "signature": "Bad Request", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 400 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "myright3.vault.azure.net", + "original": "https://myright3.vault.azure.net/certificates/mycertiii/import?api-version=7.0", + "path": "/certificates/mycertiii/import", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "myright3.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_certificate_import_1.json" + + ```json + + { + "message": "{\"time\": \"2024-04-08T15:13:06.9355325Z\", \"category\": \"AuditEvent\", \"operationName\": \"CertificateImport\", \"resultType\": \"Success\", \"correlationId\": \"fa80015d-9a44-4786-bf2f-1024a83c63cd\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXXXXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.152.109\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://myright3.vault.azure.net/certificates/yfuffuygu\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://myright3.vault.azure.net/certificates/yfuffuygu/import?api-version=7.0\", \"isAccessPolicyMatch\": true, \"keyProperties\": {\"type\": \"RSA\", \"size\": 2048}, \"secretProperties\": {\"type\": \"application/x-pkcs12\"}, \"certificateProperties\": {\"attributes\": {\"enabled\": true}, \"subject\": \"E=eff@ee.com, CN=sss, OU=cc, O=ffbb, L=bbdd, S=aabb, C=FR\", \"sha1\": \"8C593C21ABB940F7D334F927011B30519B2388BB\", \"sha256\": \"77C4C074B22B1DC59D4071128115BD43AE8FF4ABD1C539E0F0416E46BF037A4D\", \"nbf\": \"2024-04-08T15:09:12+00:00\", \"exp\": \"2027-01-03T15:09:12+00:00\"}, \"certificatePolicyProperties\": {\"secretProperties\": {\"type\": \"application/x-pkcs12\"}}, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/MYRIGHT3\", \"operationVersion\": \"7.0\", \"resultSignature\": \"OK\", \"durationMs\": \"222\"}", + "event": { + "action": "CertificateImport", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-08T15:13:06.935532Z", + "azure": { + "key_vault": { + "correlation_id": "fa80015d-9a44-4786-bf2f-1024a83c63cd", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.152.109", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXXXXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://myright3.vault.azure.net/certificates/yfuffuygu", + "isAccessPolicyMatch": true, + "keyProperties": { + "type": "RSA" + }, + "secretProperties": { + "type": "application/x-pkcs12" + } + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/MYRIGHT3", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "myright3.vault.azure.net", + "original": "https://myright3.vault.azure.net/certificates/yfuffuygu/import?api-version=7.0", + "path": "/certificates/yfuffuygu/import", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "myright3.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_certificate_update.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:49:04.5484056Z\", \"category\": \"AuditEvent\", \"operationName\": \"CertificateUpdate\", \"resultType\": \"Success\", \"correlationId\": \"0beabe33-25ee-4b8f-91de-4c7e47645d7b\", \"callerIpAddress\": \"147.161.246.101\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/certificates/fdfdffffd/2b5dd56d53254413811cb3d3ea2529f1\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64)Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://testpermissionvault.vault.azure.net/certificates/fdfdffffd/2b5dd56d53254413811cb3d3ea2529f1?api-version=7.0\", \"isAccessPolicyMatch\": true, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-93068B9DE034/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.0\", \"resultSignature\": \"OK\", \"durationMs\": \"92\"}", + "event": { + "action": "CertificateUpdate", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:49:04.548405Z", + "azure": { + "key_vault": { + "correlation_id": "0beabe33-25ee-4b8f-91de-4c7e47645d7b", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64)Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/certificates/fdfdffffd/2b5dd56d53254413811cb3d3ea2529f1", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-93068B9DE034/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.246.101" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.246.101", + "ip": "147.161.246.101" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/certificates/fdfdffffd/2b5dd56d53254413811cb3d3ea2529f1?api-version=7.0", + "path": "/certificates/fdfdffffd/2b5dd56d53254413811cb3d3ea2529f1", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64)Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_backup.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:47:31.2803447Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyBackup\", \"resultType\": \"Success\", \"correlationId\": \"49c05377-7187-4f18-8374-0e101bba261d\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg/backup?api-version=7.3\", \"isAccessPolicyMatch\": true, \"keyProperties\": {\"type\": \"RSA\", \"attributes\": {\"hsmPlatform\": \"0\"}}, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.3\", \"resultSignature\": \"OK\", \"durationMs\": \"46\"}", + "event": { + "action": "KeyBackup", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:47:31.280344Z", + "azure": { + "key_vault": { + "correlation_id": "49c05377-7187-4f18-8374-0e101bba261d", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg", + "isAccessPolicyMatch": true, + "keyProperties": { + "type": "RSA" + } + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg/backup?api-version=7.3", + "path": "/keys/egzghfgrrg/backup", + "port": 443, + "query": "api-version=7.3", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_delete.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:47:34.7178619Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyDelete\", \"resultType\": \"Success\", \"correlationId\": \"1822451f-ce87-4d9e-96bc-a723af8b5748\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg?api-version=7.3\", \"isAccessPolicyMatch\": true, \"keyProperties\": {\"type\": \"RSA\", \"attributes\": {\"hsmPlatform\": \"0\"}}, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.3\", \"resultSignature\": \"OK\", \"durationMs\": \"44\"}", + "event": { + "action": "KeyDelete", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:47:34.717861Z", + "azure": { + "key_vault": { + "correlation_id": "1822451f-ce87-4d9e-96bc-a723af8b5748", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg", + "isAccessPolicyMatch": true, + "keyProperties": { + "type": "RSA" + } + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg?api-version=7.3", + "path": "/keys/egzghfgrrg", + "port": 443, + "query": "api-version=7.3", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_delete_1.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:47:34.7178619Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyDelete\", \"resultType\": \"Success\", \"correlationId\": \"1822451f-ce87-4d9e-96bc-a723af8b5748\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg?api-version=7.3\", \"isAccessPolicyMatch\": true, \"keyProperties\": {\"type\": \"RSA\", \"attributes\": {\"hsmPlatform\": \"0\"}}, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.3\", \"resultSignature\": \"OK\", \"durationMs\": \"44\"}", + "event": { + "action": "KeyDelete", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:47:34.717861Z", + "azure": { + "key_vault": { + "correlation_id": "1822451f-ce87-4d9e-96bc-a723af8b5748", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg", + "isAccessPolicyMatch": true, + "keyProperties": { + "type": "RSA" + } + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg?api-version=7.3", + "path": "/keys/egzghfgrrg", + "port": 443, + "query": "api-version=7.3", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_get.json" + + ```json + + { + "message": "{\"time\": \"2024-04-03T14:02:45.0948723Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyGet\", \"resultType\": \"Success\", \"resultDescription\": \"A key with (name/id) egzghfgrrg was not found in this key vault. If you recently deleted this key you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182\", \"correlationId\": \"afabe187-cad6-4ca1-9698-e4ed73479b7c\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 404, \"requestUri\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg?api-version=7.3&x-ms-include-der=true&_=1712126805788\", \"isAccessPolicyMatch\": true, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.3\", \"resultSignature\": \"Not Found\", \"durationMs\": \"22\"}", + "event": { + "action": "KeyGet", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-03T14:02:45.094872Z", + "azure": { + "key_vault": { + "correlation_id": "afabe187-cad6-4ca1-9698-e4ed73479b7c", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "description": "A key with (name/id) egzghfgrrg was not found in this key vault. If you recently deleted this key you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182", + "signature": "Not Found", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 404 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg?api-version=7.3&x-ms-include-der=true&_=1712126805788", + "path": "/keys/egzghfgrrg", + "port": 443, + "query": "api-version=7.3&x-ms-include-der=true&_=1712126805788", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_get_1.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:47:42.7335214Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyGet\", \"resultType\": \"Success\", \"correlationId\": \"425dd404-f29a-4e68-9b88-2c3643b4462e\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-XXXXXXX\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/keys/MyFirstKey\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://testpermissionvault.vault.azure.net/keys/MyFirstKey?api-version=7.3&x-ms-include-der=true&_=1712127259288\", \"isAccessPolicyMatch\": true, \"keyProperties\": {\"type\": \"RSA\", \"attributes\": {\"hsmPlatform\": \"0\"}}, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.3\", \"resultSignature\": \"OK\", \"durationMs\": \"12\"}", + "event": { + "action": "KeyGet", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:47:42.733521Z", + "azure": { + "key_vault": { + "correlation_id": "425dd404-f29a-4e68-9b88-2c3643b4462e", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-XXXXXXX", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/keys/MyFirstKey", + "isAccessPolicyMatch": true, + "keyProperties": { + "type": "RSA" + } + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/keys/MyFirstKey?api-version=7.3&x-ms-include-der=true&_=1712127259288", + "path": "/keys/MyFirstKey", + "port": 443, + "query": "api-version=7.3&x-ms-include-der=true&_=1712127259288", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_list.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:47:14.1959057Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyList\", \"resultType\": \"Success\", \"correlationId\": \"e6f5733d-2c7d-4d66-94bb-7d77a434a44c\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://testpermissionvault.vault.azure.net/keys?api-version=7.3&maxresults=25&_=1712126805807\", \"isAccessPolicyMatch\": true, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.3\", \"resultSignature\": \"OK\", \"durationMs\": \"57\"}", + "event": { + "action": "KeyList", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:47:14.195905Z", + "azure": { + "key_vault": { + "correlation_id": "e6f5733d-2c7d-4d66-94bb-7d77a434a44c", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/keys?api-version=7.3&maxresults=25&_=1712126805807", + "path": "/keys", + "port": 443, + "query": "api-version=7.3&maxresults=25&_=1712126805807", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_list_1.json" + + ```json + + { + "message": "{\"time\": \"2024-04-02T08:21:11.5722907Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyList\", \"resultType\": \"Success\", \"resultDescription\": \"Caller is not authorized to perform action on resource.\", \"correlationId\": \"4f1a71d0-6490-49dd-a720-1fa8adfef495\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"clientInfo\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"httpStatusCode\": 403, \"requestUri\": \"https://keytestint.vault.azure.net/keys?api-version=7.3&maxresults=25&_=1712042263953\", \"isRbacAuthorized\": false, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/KEYTESTINT\", \"operationVersion\": \"7.3\", \"resultSignature\": \"Forbidden\", \"durationMs\": \"22\"}", + "event": { + "action": "KeyList", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "failure", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-02T08:21:11.572290Z", + "azure": { + "key_vault": { + "correlation_id": "4f1a71d0-6490-49dd-a720-1fa8adfef495", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "3686488a-04fc-4d8a-b967-61f98ec41efe" + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/KEYTESTINT", + "result": { + "description": "Caller is not authorized to perform action on resource.", + "signature": "Forbidden", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 403 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "keytestint.vault.azure.net", + "original": "https://keytestint.vault.azure.net/keys?api-version=7.3&maxresults=25&_=1712042263953", + "path": "/keys", + "port": 443, + "query": "api-version=7.3&maxresults=25&_=1712042263953", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "keytestint.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "test_event_key_list_deleted.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:47:38.2178774Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyListDeleted\", \"resultType\": \"Success\", \"correlationId\": \"733c65c4-338c-4ef5-9d95-25ae18b46fda\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://testpermissionvault.vault.azure.net/deletedkeys?api-version=7.0\", \"isAccessPolicyMatch\": true, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.0\", \"resultSignature\": \"OK\", \"durationMs\": \"46\"}", + "event": { + "action": "KeyListDeleted", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:47:38.217877Z", + "azure": { + "key_vault": { + "correlation_id": "733c65c4-338c-4ef5-9d95-25ae18b46fda", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/deletedkeys?api-version=7.0", + "path": "/deletedkeys", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_list_versions.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:47:28.1709577Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyListVersions\", \"resultType\": \"Success\", \"correlationId\": \"e8f90224-0296-424e-99ba-c5dd9870d362\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://testpermissionvault.vault.azure.net/keys/egzghfgrrg/versions?api-version=7.3&maxresults=25&_=1712127259287\", \"isAccessPolicyMatch\": true, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.3\", \"resultSignature\": \"OK\", \"durationMs\": \"18\"}", + "event": { + "action": "KeyListVersions", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:47:28.170957Z", + "azure": { + "key_vault": { + "correlation_id": "e8f90224-0296-424e-99ba-c5dd9870d362", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/keys/egzghfgrrg/versions?api-version=7.3&maxresults=25&_=1712127259287", + "path": "/keys/egzghfgrrg/versions", + "port": 443, + "query": "api-version=7.3&maxresults=25&_=1712127259287", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_purge.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:47:52.0502260Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyPurge\", \"resultType\": \"Success\", \"resultDescription\": \"The user, group or application 'appid=3686488a-04fc-4d8a-b967-61f98ec41efe;oid=d4ba3e84-0444-4841-aaf7-XXXXXX;numgroups=2;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-XXXXXXXX/' does not have keys purge permission on key vault 'testPermissionVault;location=francecentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287\", \"correlationId\": \"3cff8050-bd18-4acd-94ba-c6196ffa3ad4\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/deletedkeys/MyFirstKey\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 403, \"requestUri\": \"https://testpermissionvault.vault.azure.net/deletedkeys/MyFirstKey?api-version=7.0\", \"isAccessPolicyMatch\": false, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.0\", \"resultSignature\": \"Forbidden\", \"durationMs\": \"4\"}", + "event": { + "action": "KeyPurge", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "failure", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:47:52.050226Z", + "azure": { + "key_vault": { + "correlation_id": "3cff8050-bd18-4acd-94ba-c6196ffa3ad4", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/deletedkeys/MyFirstKey", + "isAccessPolicyMatch": false + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "description": "The user, group or application 'appid=3686488a-04fc-4d8a-b967-61f98ec41efe;oid=d4ba3e84-0444-4841-aaf7-XXXXXX;numgroups=2;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-XXXXXXXX/' does not have keys purge permission on key vault 'testPermissionVault;location=francecentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287", + "signature": "Forbidden", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 403 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/deletedkeys/MyFirstKey?api-version=7.0", + "path": "/deletedkeys/MyFirstKey", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_purge_1.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:47:52.0502260Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyPurge\", \"resultType\": \"Success\", \"resultDescription\": \"The user, group or application 'appid=3686488a-04fc-4d8a-b967-XXXXXXX;oid=d4ba3e84-0444-4841-aaf7-XXXXX;numgroups=2;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-10f72c103fc1/' does not have keys purge permission on key vault 'testPermissionVault;location=francecentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287\", \"correlationId\": \"3cff8050-bd18-4acd-94ba-c6196ffa3ad4\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-XXXXXXX\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/deletedkeys/MyFirstKey\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 403, \"requestUri\": \"https://testpermissionvault.vault.azure.net/deletedkeys/MyFirstKey?api-version=7.0\", \"isAccessPolicyMatch\": false, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.0\", \"resultSignature\": \"Forbidden\", \"durationMs\": \"4\"}", + "event": { + "action": "KeyPurge", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "failure", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:47:52.050226Z", + "azure": { + "key_vault": { + "correlation_id": "3cff8050-bd18-4acd-94ba-c6196ffa3ad4", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-XXXXXXX", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/deletedkeys/MyFirstKey", + "isAccessPolicyMatch": false + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "description": "The user, group or application 'appid=3686488a-04fc-4d8a-b967-XXXXXXX;oid=d4ba3e84-0444-4841-aaf7-XXXXX;numgroups=2;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-10f72c103fc1/' does not have keys purge permission on key vault 'testPermissionVault;location=francecentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287", + "signature": "Forbidden", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 403 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/deletedkeys/MyFirstKey?api-version=7.0", + "path": "/deletedkeys/MyFirstKey", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_key_update.json" + + ```json + + { + "message": "{\"time\": \"2024-04-08T15:14:05.4057164Z\", \"category\": \"AuditEvent\", \"operationName\": \"KeyUpdate\", \"resultType\": \"Success\", \"correlationId\": \"bbd1b29d-5b8b-4639-9980-XXXXX\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXXXXXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.152.109\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://myright3.vault.azure.net/keys/iiii/c0d4c7ec6efb4fbeaec16a3872519399\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 200, \"requestUri\": \"https://myright3.vault.azure.net/keys/iiii/c0d4c7ec6efb4fbeaec16a3872519399?api-version=7.3\", \"isAccessPolicyMatch\": true, \"keyProperties\": {\"type\": \"RSA\", \"operations\": [\"sign\", \"unwrapKey\", \"encrypt\", \"decrypt\"], \"attributes\": {\"enabled\": true, \"exp\": 1775660989, \"hsmPlatform\": \"0\"}}, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/MYRIGHT3\", \"operationVersion\": \"7.3\", \"resultSignature\": \"OK\", \"durationMs\": \"66\"}", + "event": { + "action": "KeyUpdate", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-08T15:14:05.405716Z", + "azure": { + "key_vault": { + "correlation_id": "bbd1b29d-5b8b-4639-9980-XXXXX", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.152.109", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXXXXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://myright3.vault.azure.net/keys/iiii/c0d4c7ec6efb4fbeaec16a3872519399", + "isAccessPolicyMatch": true, + "keyProperties": { + "type": "RSA" + } + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/MYRIGHT3", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "myright3.vault.azure.net", + "original": "https://myright3.vault.azure.net/keys/iiii/c0d4c7ec6efb4fbeaec16a3872519399?api-version=7.3", + "path": "/keys/iiii/c0d4c7ec6efb4fbeaec16a3872519399", + "port": 443, + "query": "api-version=7.3", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "myright3.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_secret_backup.json" + + ```json + + { + "message": "{\n \"time\": \"2024-04-04T06:43:32.2816869Z\",\n \"category\": \"AuditEvent\",\n \"operationName\": \"SecretBackup\",\n \"resultType\": \"Success\",\n \"correlationId\": \"1062c64b-12ce-4202-aa9f-c60599f19b29\",\n \"callerIpAddress\": \"147.161.0.0\",\n \"identity\": {\n \"claim\": {\n \"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\",\n \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"scp\": \"user_impersonation\",\n \"appidacr\": \"0\",\n \"xms_az_nwperimid\": [],\n \"upn\": \"john.doe@dummy.onmicrosoft.com\",\n \"ipaddr\": \"147.161.0.0\",\n \"unique_name\": \"john.doe@dummy.onmicrosoft.com\",\n \"amr\": \"pwd\"\n }\n },\n \"properties\": {\n \"id\": \"https://testpermissionvault.vault.azure.net/secrets/keykey\",\n \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\",\n \"httpStatusCode\": 200,\n \"requestUri\": \"https://testpermissionvault.vault.azure.net/secrets/keykey/backup?api-version=7.0\",\n \"isAccessPolicyMatch\": true,\n \"tlsVersion\": \"TLS1_3\"\n },\n \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\",\n \"operationVersion\": \"7.0\",\n \"resultSignature\": \"OK\",\n \"durationMs\": \"43\"\n}", + "event": { + "action": "SecretBackup", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:43:32.281686Z", + "azure": { + "key_vault": { + "correlation_id": "1062c64b-12ce-4202-aa9f-c60599f19b29", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/secrets/keykey", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/secrets/keykey/backup?api-version=7.0", + "path": "/secrets/keykey/backup", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_secret_delete.json" + + ```json + + { + "message": "{\n \"time\": \"2024-04-04T06:43:43.7508346Z\",\n \"category\": \"AuditEvent\",\n \"operationName\": \"SecretDelete\",\n \"resultType\": \"Success\",\n \"correlationId\": \"7c8262f7-6f52-4887-8eb2-fa32ec32409a\",\n \"callerIpAddress\": \"147.161.0.0\",\n \"identity\": {\n \"claim\": {\n \"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\",\n \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"scp\": \"user_impersonation\",\n \"appidacr\": \"0\",\n \"xms_az_nwperimid\": [],\n \"upn\": \"john.doe@dummy.onmicrosoft.com\",\n \"ipaddr\": \"147.161.0.0\",\n \"unique_name\": \"john.doe@dummy.onmicrosoft.com\",\n \"amr\": \"pwd\"\n }\n },\n \"properties\": {\n \"id\": \"https://testpermissionvault.vault.azure.net/secrets/keykey\",\n \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\",\n \"httpStatusCode\": 200,\n \"requestUri\": \"https://testpermissionvault.vault.azure.net/secrets/keykey?api-version=7.0\",\n \"isAccessPolicyMatch\": true,\n \"tlsVersion\": \"TLS1_3\"\n },\n \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\",\n \"operationVersion\": \"7.0\",\n \"resultSignature\": \"OK\",\n \"durationMs\": \"73\"\n}", + "event": { + "action": "SecretDelete", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:43:43.750834Z", + "azure": { + "key_vault": { + "correlation_id": "7c8262f7-6f52-4887-8eb2-fa32ec32409a", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/secrets/keykey", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/secrets/keykey?api-version=7.0", + "path": "/secrets/keykey", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_secret_get.json" + + ```json + + { + "message": "{\n \"time\": \"2024-04-03T14:08:43.4316531Z\",\n \"category\": \"AuditEvent\",\n \"operationName\": \"SecretGet\",\n \"resultType\": \"Success\",\n \"resultDescription\": \"A secret with (name/id) keykey was not found in this key vault. If you recently deleted this secret you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182\",\n \"correlationId\": \"c86f2715-79c5-433f-937c-ed76ddde840c\",\n \"callerIpAddress\": \"147.161.0.0\",\n \"identity\": {\n \"claim\": {\n \"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXXXX\",\n \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"scp\": \"user_impersonation\",\n \"appidacr\": \"0\",\n \"xms_az_nwperimid\": [],\n \"upn\": \"john.doe@dummy.onmicrosoft.com\",\n \"ipaddr\": \"147.161.0.0\",\n \"unique_name\": \"john.doe@dummy.onmicrosoft.com\",\n \"amr\": \"pwd\"\n }\n },\n \"properties\": {\n \"id\": \"https://testpermissionvault.vault.azure.net/secrets/keykey\",\n \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\",\n \"httpStatusCode\": 404,\n \"requestUri\": \"https://testpermissionvault.vault.azure.net/secrets/keykey?api-version=7.0&_=1712126805801\",\n \"isAccessPolicyMatch\": true,\n \"tlsVersion\": \"TLS1_3\"\n },\n \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\",\n \"operationVersion\": \"7.0\",\n \"resultSignature\": \"Not Found\",\n \"durationMs\": \"183\"\n}", + "event": { + "action": "SecretGet", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-03T14:08:43.431653Z", + "azure": { + "key_vault": { + "correlation_id": "c86f2715-79c5-433f-937c-ed76ddde840c", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/secrets/keykey", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "description": "A secret with (name/id) keykey was not found in this key vault. If you recently deleted this secret you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182", + "signature": "Not Found", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 404 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/secrets/keykey?api-version=7.0&_=1712126805801", + "path": "/secrets/keykey", + "port": 443, + "query": "api-version=7.0&_=1712126805801", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_secret_get_1.json" + + ```json + + { + "message": "{\n \"time\": \"2024-04-02T08:20:49.2681600Z\",\n \"category\": \"AuditEvent\",\n \"operationName\": \"SecretGet\",\n \"resultType\": \"Success\",\n \"resultDescription\": \"Caller is not authorized to perform action on resource.\\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\\nCaller: appid=3686488a-04fc-4d8a-b967-XXXXX;oid=d4ba3e84-0444-4841-aaf7-XXXXX;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-XXXXXXXX/\\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\\nResource: '/subscriptions/F40A1F1D-F2C6-4444-XXXX/resourcegroups/integration/providers/microsoft.keyvault/vaults/keytestint/secrets/a'\\nAssignment: (not found)\\nDenyAssignmentId: null\\nDecisionReason: null \\nVault: keyTestInt;location=francecentral\",\n \"correlationId\": \"1b3aa393-f142-4329-8b1f-c5222119ae35\",\n \"callerIpAddress\": \"147.161.0.0\",\n \"identity\": {\n \"claim\": {\n \"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXX\",\n \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"scp\": \"user_impersonation\",\n \"appidacr\": \"0\",\n \"xms_az_nwperimid\": [],\n \"upn\": \"john.doe@dummy.onmicrosoft.com\",\n \"ipaddr\": \"147.161.0.0\",\n \"unique_name\": \"john.doe@dummy.onmicrosoft.com\",\n \"amr\": \"pwd\"\n }\n },\n \"properties\": {\n \"id\": \"https://keytestint.vault.azure.net/secrets/a\",\n \"clientInfo\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"httpStatusCode\": 403,\n \"requestUri\": \"https://keytestint.vault.azure.net/secrets/a?api-version=7.0&_=1712042263922\",\n \"isRbacAuthorized\": false,\n \"tlsVersion\": \"TLS1_3\"\n },\n \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/KEYTESTINT\",\n \"operationVersion\": \"7.0\",\n \"resultSignature\": \"Forbidden\",\n \"durationMs\": \"27\"\n}", + "event": { + "action": "SecretGet", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "failure", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-02T08:20:49.268160Z", + "azure": { + "key_vault": { + "correlation_id": "1b3aa393-f142-4329-8b1f-c5222119ae35", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "id": "https://keytestint.vault.azure.net/secrets/a" + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/KEYTESTINT", + "result": { + "description": "Caller is not authorized to perform action on resource.\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\nCaller: appid=3686488a-04fc-4d8a-b967-XXXXX;oid=d4ba3e84-0444-4841-aaf7-XXXXX;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-XXXXXXXX/\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\nResource: '/subscriptions/F40A1F1D-F2C6-4444-XXXX/resourcegroups/integration/providers/microsoft.keyvault/vaults/keytestint/secrets/a'\nAssignment: (not found)\nDenyAssignmentId: null\nDecisionReason: null \nVault: keyTestInt;location=francecentral", + "signature": "Forbidden", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 403 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "keytestint.vault.azure.net", + "original": "https://keytestint.vault.azure.net/secrets/a?api-version=7.0&_=1712042263922", + "path": "/secrets/a", + "port": 443, + "query": "api-version=7.0&_=1712042263922", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "keytestint.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "test_event_secret_list.json" + + ```json + + { + "message": "{\n \"time\": \"2024-04-04T06:43:25.5941616Z\",\n \"category\": \"AuditEvent\",\n \"operationName\": \"SecretList\",\n \"resultType\": \"Success\",\n \"correlationId\": \"58127e84-c72e-4f7c-9cd6-a68b8a5da547\",\n \"callerIpAddress\": \"147.161.0.0\",\n \"identity\": {\n \"claim\": {\n \"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\",\n \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"scp\": \"user_impersonation\",\n \"appidacr\": \"0\",\n \"xms_az_nwperimid\": [],\n \"upn\": \"john.doe@dummy.onmicrosoft.com\",\n \"ipaddr\": \"147.161.0.0\",\n \"unique_name\": \"john.doe@dummy.onmicrosoft.com\",\n \"amr\": \"pwd\"\n }\n },\n \"properties\": {\n \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\",\n \"httpStatusCode\": 200,\n \"requestUri\": \"https://testpermissionvault.vault.azure.net/secrets?api-version=7.0&maxresults=25&_=1712127259280\",\n \"isAccessPolicyMatch\": true,\n \"tlsVersion\": \"TLS1_3\"\n },\n \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\",\n \"operationVersion\": \"7.0\",\n \"resultSignature\": \"OK\",\n \"durationMs\": \"76\"\n}", + "event": { + "action": "SecretList", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:43:25.594161Z", + "azure": { + "key_vault": { + "correlation_id": "58127e84-c72e-4f7c-9cd6-a68b8a5da547", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/secrets?api-version=7.0&maxresults=25&_=1712127259280", + "path": "/secrets", + "port": 443, + "query": "api-version=7.0&maxresults=25&_=1712127259280", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_secret_list_deleted.json" + + ```json + + { + "message": "{\n \"time\": \"2024-04-04T06:44:25.3013619Z\",\n \"category\": \"AuditEvent\",\n \"operationName\": \"SecretListDeleted\",\n \"resultType\": \"Success\",\n \"correlationId\": \"d5f5868e-5280-41ba-a2e8-17bb3740ec1e\",\n \"callerIpAddress\": \"147.161.0.0\",\n \"identity\": {\n \"claim\": {\n \"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\",\n \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"scp\": \"user_impersonation\",\n \"appidacr\": \"0\",\n \"xms_az_nwperimid\": [],\n \"upn\": \"john.doe@dummy.onmicrosoft.com\",\n \"ipaddr\": \"147.161.0.0\",\n \"unique_name\": \"john.doe@dummy.onmicrosoft.com\",\n \"amr\": \"pwd\"\n }\n },\n \"properties\": {\n \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\",\n \"httpStatusCode\": 200,\n \"requestUri\": \"https://testpermissionvault.vault.azure.net/deletedsecrets?api-version=7.0\",\n \"isAccessPolicyMatch\": true,\n \"tlsVersion\": \"TLS1_3\"\n },\n \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\",\n \"operationVersion\": \"7.0\",\n \"resultSignature\": \"OK\",\n \"durationMs\": \"30\"\n}", + "event": { + "action": "SecretListDeleted", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:44:25.301361Z", + "azure": { + "key_vault": { + "correlation_id": "d5f5868e-5280-41ba-a2e8-17bb3740ec1e", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/deletedsecrets?api-version=7.0", + "path": "/deletedsecrets", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_secret_purge.json" + + ```json + + { + "message": "{\n \"time\": \"2024-04-04T06:45:24.3756181Z\",\n \"category\": \"AuditEvent\",\n \"operationName\": \"SecretPurge\",\n \"resultType\": \"Success\",\n \"resultDescription\": \"The user, group or application 'appid=3686488a-04fc-4d8a-b967-61f98ec41efe;oid=d4ba3e84-0444-4841-aaf7-XXXXXX;numgroups=2;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-XXXXXXXX/' does not have secrets purge permission on key vault 'testPermissionVault;location=francecentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287\",\n \"correlationId\": \"524974e7-1a6f-4a01-aded-a0b846311986\",\n \"callerIpAddress\": \"147.161.0.0\",\n \"identity\": {\n \"claim\": {\n \"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\",\n \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"scp\": \"user_impersonation\",\n \"appidacr\": \"0\",\n \"xms_az_nwperimid\": [],\n \"upn\": \"john.doe@dummy.onmicrosoft.com\",\n \"ipaddr\": \"147.161.0.0\",\n \"unique_name\": \"john.doe@dummy.onmicrosoft.com\",\n \"amr\": \"pwd\"\n }\n },\n \"properties\": {\n \"id\": \"https://testpermissionvault.vault.azure.net/deletedsecrets/mysecret\",\n \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\",\n \"httpStatusCode\": 403,\n \"requestUri\": \"https://testpermissionvault.vault.azure.net/deletedsecrets/mysecret?api-version=7.0\",\n \"isAccessPolicyMatch\": false,\n \"tlsVersion\": \"TLS1_3\"\n },\n \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\",\n \"operationVersion\": \"7.0\",\n \"resultSignature\": \"Forbidden\",\n \"durationMs\": \"17\"\n}", + "event": { + "action": "SecretPurge", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "failure", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:45:24.375618Z", + "azure": { + "key_vault": { + "correlation_id": "524974e7-1a6f-4a01-aded-a0b846311986", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/deletedsecrets/mysecret", + "isAccessPolicyMatch": false + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "description": "The user, group or application 'appid=3686488a-04fc-4d8a-b967-61f98ec41efe;oid=d4ba3e84-0444-4841-aaf7-XXXXXX;numgroups=2;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-XXXXXXXX/' does not have secrets purge permission on key vault 'testPermissionVault;location=francecentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287", + "signature": "Forbidden", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 403 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/deletedsecrets/mysecret?api-version=7.0", + "path": "/deletedsecrets/mysecret", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_secret_purge_1.json" + + ```json + + { + "message": "{\"time\": \"2024-04-04T06:45:40.6759307Z\", \"category\": \"AuditEvent\", \"operationName\": \"SecretPurge\", \"resultType\": \"Success\", \"resultDescription\": \"The user, group or application 'appid=3686488a-04fc-4d8a-b967-XXXXXXX;oid=d4ba3e84-0444-4841-aaf7-XXXXX;numgroups=2;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-10f72c103fc1/' does not have secrets purge permission on key vault 'testPermissionVault;location=francecentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287\", \"correlationId\": \"ef7f13ed-3382-4838-990f-5947bd778835\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXX\", \"appid\": \"3686488a-04fc-4d8a-b967-XXXXXXX\", \"scp\": \"user_impersonation\", \"appidacr\": \"0\", \"xms_az_nwperimid\": [], \"upn\": \"john.doe@dummy.onmicrosoft.com\", \"ipaddr\": \"147.161.0.0\", \"unique_name\": \"john.doe@dummy.onmicrosoft.com\", \"amr\": \"pwd\"}}, \"properties\": {\"id\": \"https://testpermissionvault.vault.azure.net/deletedsecrets/mysecret\", \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\", \"httpStatusCode\": 403, \"requestUri\": \"https://testpermissionvault.vault.azure.net/deletedsecrets/mysecret?api-version=7.0\", \"isAccessPolicyMatch\": false, \"tlsVersion\": \"TLS1_3\"}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\", \"operationVersion\": \"7.0\", \"resultSignature\": \"Forbidden\", \"durationMs\": \"10\"}", + "event": { + "action": "SecretPurge", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "failure", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:45:40.675930Z", + "azure": { + "key_vault": { + "correlation_id": "ef7f13ed-3382-4838-990f-5947bd778835", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-XXXXXXX", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/deletedsecrets/mysecret", + "isAccessPolicyMatch": false + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "description": "The user, group or application 'appid=3686488a-04fc-4d8a-b967-XXXXXXX;oid=d4ba3e84-0444-4841-aaf7-XXXXX;numgroups=2;iss=https://sts.windows.net/d91d59da-80cd-4224-baef-10f72c103fc1/' does not have secrets purge permission on key vault 'testPermissionVault;location=francecentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287", + "signature": "Forbidden", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 403 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/deletedsecrets/mysecret?api-version=7.0", + "path": "/deletedsecrets/mysecret", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_secret_restore.json" + + ```json + + { + "message": "{\n \"time\": \"2024-04-04T06:44:17.4857222Z\",\n \"category\": \"AuditEvent\",\n \"operationName\": \"SecretRestore\",\n \"resultType\": \"Success\",\n \"resultDescription\": \"There was a conflict restoring the secret 'https://testpermissionvault.vault.azure.net/secrets/keykey/8fbb0accbfbe4ee4b025649ebabae465'. This can happen if either: a second secret with the same name was created after the first secret was deleted; thus trying to restore a secret whose name is already in use. To fix this, rename the second secret to something else so that the restore works. The second probable cause of this exception is when multiple operations are performed in parallel against the secret. To avoid this error, perform operations against a secret in a sequential manner.\",\n \"correlationId\": \"00f4eafb-43a6-412f-a908-fd20d5aef64c\",\n \"callerIpAddress\": \"147.161.0.0\",\n \"identity\": {\n \"claim\": {\n \"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXX\",\n \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"scp\": \"user_impersonation\",\n \"appidacr\": \"0\",\n \"xms_az_nwperimid\": [],\n \"upn\": \"john.doe@dummy.onmicrosoft.com\",\n \"ipaddr\": \"147.161.0.0\",\n \"unique_name\": \"john.doe@dummy.onmicrosoft.com\",\n \"amr\": \"pwd\"\n }\n },\n \"properties\": {\n \"id\": \"https://testpermissionvault.vault.azure.net/secrets/keykey\",\n \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\",\n \"httpStatusCode\": 409,\n \"requestUri\": \"https://testpermissionvault.vault.azure.net/secrets/restore?api-version=7.0\",\n \"isAccessPolicyMatch\": true,\n \"tlsVersion\": \"TLS1_3\"\n },\n \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\",\n \"operationVersion\": \"7.0\",\n \"resultSignature\": \"Conflict\",\n \"durationMs\": \"63\"\n}", + "event": { + "action": "SecretRestore", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-04T06:44:17.485722Z", + "azure": { + "key_vault": { + "correlation_id": "00f4eafb-43a6-412f-a908-fd20d5aef64c", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/secrets/keykey", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "description": "There was a conflict restoring the secret 'https://testpermissionvault.vault.azure.net/secrets/keykey/8fbb0accbfbe4ee4b025649ebabae465'. This can happen if either: a second secret with the same name was created after the first secret was deleted; thus trying to restore a secret whose name is already in use. To fix this, rename the second secret to something else so that the restore works. The second probable cause of this exception is when multiple operations are performed in parallel against the secret. To avoid this error, perform operations against a secret in a sequential manner.", + "signature": "Conflict", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 409 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/secrets/restore?api-version=7.0", + "path": "/secrets/restore", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_secret_update.json" + + ```json + + { + "message": "{\n \"time\": \"2024-04-03T14:09:01.6116910Z\",\n \"category\": \"AuditEvent\",\n \"operationName\": \"SecretUpdate\",\n \"resultType\": \"Success\",\n \"correlationId\": \"0394c72d-e46d-4888-980a-434efc5bca3e\",\n \"callerIpAddress\": \"147.161.0.0\",\n \"identity\": {\n \"claim\": {\n \"oid\": \"d4ba3e84-0444-4841-aaf7-XXXXXXXX\",\n \"appid\": \"3686488a-04fc-4d8a-b967-61f98ec41efe\",\n \"scp\": \"user_impersonation\",\n \"appidacr\": \"0\",\n \"xms_az_nwperimid\": [],\n \"upn\": \"john.doe@dummy.onmicrosoft.com\",\n \"ipaddr\": \"147.161.0.0\",\n \"unique_name\": \"john.doe@dummy.onmicrosoft.com\",\n \"amr\": \"pwd\"\n }\n },\n \"properties\": {\n \"id\": \"https://testpermissionvault.vault.azure.net/secrets/keykey/8fbb0accbfbe4ee4b025649ebabae465\",\n \"clientInfo\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0\",\n \"httpStatusCode\": 200,\n \"requestUri\": \"https://testpermissionvault.vault.azure.net/secrets/keykey/8fbb0accbfbe4ee4b025649ebabae465?api-version=7.0\",\n \"isAccessPolicyMatch\": true,\n \"secretProperties\": {\n \"attributes\": {\n \"enabled\": true,\n \"exp\": 1775199200\n }\n },\n \"tlsVersion\": \"TLS1_3\"\n },\n \"resourceId\": \"/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT\",\n \"operationVersion\": \"7.0\",\n \"resultSignature\": \"OK\",\n \"durationMs\": \"79\"\n}", + "event": { + "action": "SecretUpdate", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-03T14:09:01.611691Z", + "azure": { + "key_vault": { + "correlation_id": "0394c72d-e46d-4888-980a-434efc5bca3e", + "identity": { + "claim": { + "amr": "pwd", + "appid": "3686488a-04fc-4d8a-b967-61f98ec41efe", + "ipaddr": "147.161.0.0", + "oid": "d4ba3e84-0444-4841-aaf7-XXXXXXXX", + "scp": "user_impersonation", + "unique_name": "john.doe@dummy.onmicrosoft.com" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "id": "https://testpermissionvault.vault.azure.net/secrets/keykey/8fbb0accbfbe4ee4b025649ebabae465", + "isAccessPolicyMatch": true + }, + "resource_id": "/SUBSCRIPTIONS/F40a1f1d-f2c6-4444-92a6-XXXXXXXXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/TESTPERMISSIONVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ], + "user": [ + "john.doe@dummy.onmicrosoft.com" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "tls": { + "version": "TLS1_3" + }, + "url": { + "domain": "testpermissionvault.vault.azure.net", + "original": "https://testpermissionvault.vault.azure.net/secrets/keykey/8fbb0accbfbe4ee4b025649ebabae465?api-version=7.0", + "path": "/secrets/keykey/8fbb0accbfbe4ee4b025649ebabae465", + "port": 443, + "query": "api-version=7.0", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "testpermissionvault.vault", + "top_level_domain": "net" + }, + "user": { + "name": "john.doe@dummy.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) Firefox/12.0", + "os": { + "name": "Ubuntu" + }, + "version": "12.0" + } + } + + ``` + + +=== "test_event_vault_get.json" + + ```json + + { + "message": "{\"time\": \"2024-04-02T08:20:41.7523185Z\", \"category\": \"AuditEvent\", \"operationName\": \"VaultGet\", \"resultType\": \"Success\", \"correlationId\": \"78d31457-b2b7-4da4-a76d-56bac62c1687\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"http://schemas.microsoft.com/identity/claims/objectidentifier\": \"d4ba3e84-0444-4841-aaf7-XXXXX\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\": \"john.doe@dummy.onmicrosoft.com\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\": \"john.doe@dummy.onmicrosoft.com\", \"appid\": \"c44b4083-3bb0-49c1-b47d-974e53cXXX\"}}, \"properties\": {\"id\": \"https://keytestint.vault.azure.net/\", \"clientInfo\": \"Mozilla/5.0\", \"requestUri\": \"https://management.azure.com/subscriptions/F40A1F1D-F2C6-4444-XXXX/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/keyTestInt?api-version=2023-08-01-preview\", \"httpStatusCode\": 200, \"properties\": {\"sku\": {\"Family\": \"A\", \"Name\": \"Standard\", \"Capacity\": null}, \"tenantId\": \"d91d59da-80cd-4224-baef-XXXXXXXX\", \"networkAcls\": null, \"enabledForDeployment\": false, \"enabledForDiskEncryption\": false, \"enabledForTemplateDeployment\": false, \"enableSoftDelete\": true, \"softDeleteRetentionInDays\": 90, \"enableRbacAuthorization\": true, \"enablePurgeProtection\": null}}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/KEYTESTINT\", \"operationVersion\": \"2023-08-01-preview\", \"resultSignature\": \"OK\", \"durationMs\": \"16\"}", + "event": { + "action": "VaultGet", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-02T08:20:41.752318Z", + "azure": { + "key_vault": { + "correlation_id": "78d31457-b2b7-4da4-a76d-56bac62c1687", + "identity": { + "claim": { + "appid": "c44b4083-3bb0-49c1-b47d-974e53cXXX" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0", + "id": "https://keytestint.vault.azure.net/", + "tenantid": "d91d59da-80cd-4224-baef-XXXXXXXX" + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/KEYTESTINT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "url": { + "domain": "management.azure.com", + "original": "https://management.azure.com/subscriptions/F40A1F1D-F2C6-4444-XXXX/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/keyTestInt?api-version=2023-08-01-preview", + "path": "/subscriptions/F40A1F1D-F2C6-4444-XXXX/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/keyTestInt", + "port": 443, + "query": "api-version=2023-08-01-preview", + "registered_domain": "azure.com", + "scheme": "https", + "subdomain": "management", + "top_level_domain": "com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "test_event_vault_get_1.json" + + ```json + + { + "message": "{ \"time\": \"2024-03-30T22:29:57.2784858Z\", \"category\": \"AuditEvent\", \"operationName\": \"VaultGet\", \"resultType\": \"Success\", \"correlationId\": \"xxxxxxxxxxxxx\", \"callerIpAddress\": \"1.2.3.4\", \"identity\": {\"claim\":{\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"xxxxxxxxxxxxx\",\"appid\":\"app-id-xxxxxxxxxxxxx\"}}, \"properties\": {\"id\":\"https://keytestint.vault.azure.net/\",\"clientInfo\":\"AzureResourceGraph.IngestionWorkerService.global/1.2.3.4\",\"requestUri\":\"https://brazilsouth.management.azure.com/subscriptions/xxxxxxxx/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/keyTestInt?api-version=2023-07-01&MaskCMKEnabledProperties=true\",\"httpStatusCode\":200,\"properties\":{\"sku\":{\"Family\":\"A\",\"Name\":\"Standard\",\"Capacity\":null},\"tenantId\":\"xxxxx-xxxx-xxxx-xxxx-xxxxxx\",\"networkAcls\":null,\"enabledForDeployment\":false,\"enabledForDiskEncryption\":false,\"enabledForTemplateDeployment\":false,\"enableSoftDelete\":true,\"softDeleteRetentionInDays\":90,\"enableRbacAuthorization\":true,\"enablePurgeProtection\":null}}, \"resourceId\": \"/SUBSCRIPTIONS/xxxxxx/xxxxx/xxxxxxx/xxxxx/MICROSOFT.KEYVAULT/VAULTS/xxxxxxx\", \"operationVersion\": \"2023-07-01\", \"resultSignature\": \"OK\", \"durationMs\": \"17\"}", + "event": { + "action": "VaultGet", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-03-30T22:29:57.278485Z", + "azure": { + "key_vault": { + "correlation_id": "xxxxxxxxxxxxx", + "identity": { + "claim": { + "appid": "app-id-xxxxxxxxxxxxx" + } + }, + "properties": { + "clientInfo": "AzureResourceGraph.IngestionWorkerService.global/1.2.3.4", + "id": "https://keytestint.vault.azure.net/", + "tenantid": "xxxxx-xxxx-xxxx-xxxx-xxxxxx" + }, + "resource_id": "/SUBSCRIPTIONS/xxxxxx/xxxxx/xxxxxxx/xxxxx/MICROSOFT.KEYVAULT/VAULTS/xxxxxxx", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "brazilsouth.management.azure.com", + "original": "https://brazilsouth.management.azure.com/subscriptions/xxxxxxxx/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/keyTestInt?api-version=2023-07-01&MaskCMKEnabledProperties=true", + "path": "/subscriptions/xxxxxxxx/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/keyTestInt", + "port": 443, + "query": "api-version=2023-07-01&MaskCMKEnabledProperties=true", + "registered_domain": "azure.com", + "scheme": "https", + "subdomain": "brazilsouth.management", + "top_level_domain": "com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "AzureResourceGraph.IngestionWorkerService.global/1.2.3.4", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "test_event_vault_get_2.json" + + ```json + + { + "message": "{\n \"time\": \"2016-01-05T01:32:01.2691226Z\",\n \"resourceId\": \"/SUBSCRIPTIONS/361DA5D4-A47A-4C79-AFDD-XXXXXXXXXXXX/RESOURCEGROUPS/CONTOSOGROUP/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/CONTOSOKEYVAULT\",\n \"operationName\": \"VaultGet\",\n \"operationVersion\": \"2015-06-01\",\n \"category\": \"AuditEvent\",\n \"resultType\": \"Success\",\n \"resultSignature\": \"OK\",\n \"resultDescription\": \"\",\n \"durationMs\": \"78\",\n \"callerIpAddress\": \"104.40.82.76\",\n \"correlationId\": \"\",\n \"identity\": {\"claim\":{\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"d9da5048-2737-4770-bd64-XXXXXXXXXXXX\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\":\"live.com#username@outlook.com\",\"appid\":\"1950a258-227b-4e31-a9cf-XXXXXXXXXXXX\"}},\n \"properties\": {\"clientInfo\":\"azure-resource-manager/2.0\",\"requestUri\":\"https://control-prod-wus.vaultcore.azure.net/subscriptions/361da5d4-a47a-4c79-afdd-XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/contosokeyvault?api-version=2015-06-01\",\"id\":\"https://contosokeyvault.vault.azure.net/\",\"httpStatusCode\":200}\n }", + "event": { + "action": "VaultGet", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2016-01-05T01:32:01.269122Z", + "azure": { + "key_vault": { + "identity": { + "claim": { + "appid": "1950a258-227b-4e31-a9cf-XXXXXXXXXXXX" + } + }, + "properties": { + "clientInfo": "azure-resource-manager/2.0", + "id": "https://contosokeyvault.vault.azure.net/" + }, + "resource_id": "/SUBSCRIPTIONS/361DA5D4-A47A-4C79-AFDD-XXXXXXXXXXXX/RESOURCEGROUPS/CONTOSOGROUP/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/CONTOSOKEYVAULT", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "104.40.82.76" + ] + }, + "source": { + "address": "104.40.82.76", + "ip": "104.40.82.76" + }, + "url": { + "domain": "control-prod-wus.vaultcore.azure.net", + "original": "https://control-prod-wus.vaultcore.azure.net/subscriptions/361da5d4-a47a-4c79-afdd-XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/contosokeyvault?api-version=2015-06-01", + "path": "/subscriptions/361da5d4-a47a-4c79-afdd-XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/contosokeyvault", + "port": 443, + "query": "api-version=2015-06-01", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "control-prod-wus.vaultcore", + "top_level_domain": "net" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "azure-resource-manager/2.0", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "test_event_vault_get_3.json" + + ```json + + { + "message": "{\n \"time\": \"2016-01-05T01:32:01.2691226Z\",\n \"resourceId\": \"/SUBSCRIPTIONS/361DA5D4-A47A-4C79-AFDD-XXXXXXXXXXXX/RESOURCEGROUPS/CONTOSOGROUP/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/CONTOSOKEYVAULT\",\n \"operationName\": \"VaultGet\",\n \"operationVersion\": \"2015-06-01\",\n \"category\": \"AuditEvent\",\n \"resultType\": \"Success\",\n \"resultSignature\": \"Forbidden\",\n \"resultDescription\": \"\",\n \"durationMs\": \"78\",\n \"callerIpAddress\": \"104.40.82.76\",\n \"correlationId\": \"\",\n \"identity\": {\"claim\":{\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"d9da5048-2737-4770-bd64-XXXXXXXXXXXX\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\":\"live.com#username@outlook.com\",\"appid\":\"1950a258-227b-4e31-a9cf-XXXXXXXXXXXX\"}},\n \"properties\": {\"clientInfo\":\"azure-resource-manager/2.0\",\"requestUri\":\"https://control-prod-wus.vaultcore.azure.net/subscriptions/361da5d4-a47a-4c79-afdd-XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/contosokeyvault?api-version=2015-06-01\",\"id\":\"https://contosokeyvault.vault.azure.net/\",\"httpStatusCode\":200}\n }", + "event": { + "action": "VaultGet", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "failure", + "type": [ + "access" + ] + }, + "@timestamp": "2016-01-05T01:32:01.269122Z", + "azure": { + "key_vault": { + "identity": { + "claim": { + "appid": "1950a258-227b-4e31-a9cf-XXXXXXXXXXXX" + } + }, + "properties": { + "clientInfo": "azure-resource-manager/2.0", + "id": "https://contosokeyvault.vault.azure.net/" + }, + "resource_id": "/SUBSCRIPTIONS/361DA5D4-A47A-4C79-AFDD-XXXXXXXXXXXX/RESOURCEGROUPS/CONTOSOGROUP/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/CONTOSOKEYVAULT", + "result": { + "signature": "Forbidden", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "104.40.82.76" + ] + }, + "source": { + "address": "104.40.82.76", + "ip": "104.40.82.76" + }, + "url": { + "domain": "control-prod-wus.vaultcore.azure.net", + "original": "https://control-prod-wus.vaultcore.azure.net/subscriptions/361da5d4-a47a-4c79-afdd-XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/contosokeyvault?api-version=2015-06-01", + "path": "/subscriptions/361da5d4-a47a-4c79-afdd-XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/contosokeyvault", + "port": 443, + "query": "api-version=2015-06-01", + "registered_domain": "azure.net", + "scheme": "https", + "subdomain": "control-prod-wus.vaultcore", + "top_level_domain": "net" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "azure-resource-manager/2.0", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "test_event_vault_get_4.json" + + ```json + + { + "message": "{\"time\":\"2024-04-17T13:34:17.9174081Z\",\"category\":\"AuditEvent\",\"operationName\":\"VaultGet\",\"resultType\":\"Success\",\"correlationId\":\"correlationIdValue\",\"callerIpAddress\":\"1.2.3.4\",\"identity\":{\"claim\":{\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"xxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\":\"test@test.com\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\":\"test@test.com\",\"appid\":\"appid-xxxxxxxxxxxxxxxxx\"}},\"properties\":{\"id\":\"https://testkey.vault.azure.net/\",\"clientInfo\":\"Mozilla/5.0\",\"requestUri\":\"https://management.azure.com/subscriptions/xxxxxxxxxxxxxxxx/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/testkey?api-version=2023-08-01-preview\",\"httpStatusCode\":200,\"properties\":{\"sku\":{\"Family\":\"A\",\"Name\":\"Standard\",\"Capacity\":null},\"tenantId\":\"tenantid-xxxxxxxxxxxxxxxxxxxxx\",\"networkAcls\":{\"bypass\":\"AzureServices\",\"defaultAction\":\"Allow\"},\"enabledForDeployment\":false,\"enabledForDiskEncryption\":false,\"enabledForTemplateDeployment\":true,\"enableSoftDelete\":true,\"softDeleteRetentionInDays\":90,\"enableRbacAuthorization\":true,\"enablePurgeProtection\":null}},\"resourceId\":\"/SUBSCRIPTIONS/xxxxxxxxxxxxxxxx/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/testkey\",\"operationVersion\":\"2023-08-01-preview\",\"resultSignature\":\"OK\",\"durationMs\":\"29\"}", + "event": { + "action": "VaultGet", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-17T13:34:17.917408Z", + "azure": { + "key_vault": { + "correlation_id": "correlationIdValue", + "identity": { + "claim": { + "appid": "appid-xxxxxxxxxxxxxxxxx" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0", + "id": "https://testkey.vault.azure.net/", + "tenantid": "tenantid-xxxxxxxxxxxxxxxxxxxxx" + }, + "resource_id": "/SUBSCRIPTIONS/xxxxxxxxxxxxxxxx/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/testkey", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "management.azure.com", + "original": "https://management.azure.com/subscriptions/xxxxxxxxxxxxxxxx/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/testkey?api-version=2023-08-01-preview", + "path": "/subscriptions/xxxxxxxxxxxxxxxx/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/testkey", + "port": 443, + "query": "api-version=2023-08-01-preview", + "registered_domain": "azure.com", + "scheme": "https", + "subdomain": "management", + "top_level_domain": "com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "test_event_vault_patch.json" + + ```json + + { + "message": "{\"time\": \"2024-04-08T15:15:50.6257670Z\", \"category\": \"AuditEvent\", \"operationName\": \"VaultPatch\", \"resultType\": \"Success\", \"correlationId\": \"eb6f7f30-b6ae-4ba6-a6cf-fbe90d4d5121\", \"callerIpAddress\": \"147.161.0.0\", \"identity\": {\"claim\": {\"http://schemas.microsoft.com/identity/claims/objectidentifier\": \"d4ba3e84-0444-4841-aaf7-XXXXXXXXXXXX\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\": \"john.doe@dummy.onmicrosoft.com\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\": \"john.doe@dummy.onmicrosoft.com\", \"appid\": \"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\"}}, \"properties\": {\"id\": \"https://myright3.vault.azure.net/\", \"clientInfo\": \"Mozilla/5.0\", \"requestUri\": \"https://management.azure.com/subscriptions/f40a1f1d-f2c6-4444-92a6-XXXX/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/myright3?api-version=2023-08-01-preview\", \"httpStatusCode\": 200, \"properties\": {\"sku\": {\"Family\": \"A\", \"Name\": \"Standard\", \"Capacity\": null}, \"tenantId\": \"d91d59da-80cd-4224-baef-10f72c103fc1\", \"networkAcls\": {\"bypass\": \"AzureServices\", \"defaultAction\": \"Allow\"}, \"enabledForDeployment\": true, \"enabledForDiskEncryption\": false, \"enabledForTemplateDeployment\": false, \"enableSoftDelete\": true, \"softDeleteRetentionInDays\": 90, \"enableRbacAuthorization\": false, \"enablePurgeProtection\": null}}, \"resourceId\": \"/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/MYRIGHT3\", \"operationVersion\": \"2023-08-01-preview\", \"resultSignature\": \"OK\", \"durationMs\": \"78\"}", + "event": { + "action": "VaultPatch", + "category": [ + "database" + ], + "dataset": "keyvault", + "outcome": "success", + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-08T15:15:50.625767Z", + "azure": { + "key_vault": { + "correlation_id": "eb6f7f30-b6ae-4ba6-a6cf-fbe90d4d5121", + "identity": { + "claim": { + "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c" + } + }, + "properties": { + "clientInfo": "Mozilla/5.0", + "id": "https://myright3.vault.azure.net/", + "tenantid": "d91d59da-80cd-4224-baef-10f72c103fc1" + }, + "resource_id": "/SUBSCRIPTIONS/F40A1F1D-F2C6-4444-92A6-XXXX/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/MYRIGHT3", + "result": { + "signature": "OK", + "type": "Success" + } + } + }, + "cloud": { + "provider": "azure", + "service": { + "name": "Azure Key Vault" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "147.161.0.0" + ] + }, + "source": { + "address": "147.161.0.0", + "ip": "147.161.0.0" + }, + "url": { + "domain": "management.azure.com", + "original": "https://management.azure.com/subscriptions/f40a1f1d-f2c6-4444-92a6-XXXX/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/myright3?api-version=2023-08-01-preview", + "path": "/subscriptions/f40a1f1d-f2c6-4444-92a6-XXXX/resourceGroups/Integration/providers/Microsoft.KeyVault/vaults/myright3", + "port": 443, + "query": "api-version=2023-08-01-preview", + "registered_domain": "azure.com", + "scheme": "https", + "subdomain": "management", + "top_level_domain": "com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0", + "os": { + "name": "Other" + } + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`azure.key_vault.correlation_id` | `keyword` | The correlation id of the key vault operation | +|`azure.key_vault.identity.claim.amr` | `keyword` | The Authentication Method Reference of the identity. The amr claim contains an array of strings representing the authentication methods that were applied and verified during the user's sign-in. These strings represent identifiers for the authentication methods used, such as: +'pwd' for password-based authentication 'mfa' for multi-factor authentication 'otp' for one-time password 'sms' for authentication via SMS etc. | +|`azure.key_vault.identity.claim.appid` | `keyword` | The application id of the identity | +|`azure.key_vault.identity.claim.ipaddr` | `keyword` | The ip address of the identity | +|`azure.key_vault.identity.claim.oid` | `keyword` | The object id of the identity | +|`azure.key_vault.identity.claim.scp` | `keyword` | The scp of the identity | +|`azure.key_vault.identity.claim.unique_name` | `keyword` | The unique name of the identity | +|`azure.key_vault.properties.certificateIssuerProperties.name` | `keyword` | The name of the certificate issuer properties | +|`azure.key_vault.properties.clientInfo` | `keyword` | The client info of the key vault operation | +|`azure.key_vault.properties.id` | `keyword` | The id of the key vault operation | +|`azure.key_vault.properties.isAccessPolicyMatch` | `boolean` | Determines if access policy matches the expectations | +|`azure.key_vault.properties.keyProperties.type` | `keyword` | The type of the key properties | +|`azure.key_vault.properties.secretProperties.type` | `keyword` | The type of the secret properties | +|`azure.key_vault.properties.tenantid` | `keyword` | The tenant id of the key vault operation | +|`azure.key_vault.resource_id` | `keyword` | The resource id of the key vault operation | +|`azure.key_vault.result.description` | `keyword` | The result description of the key vault operation | +|`azure.key_vault.result.signature` | `keyword` | The result signature of the key vault operation | +|`azure.key_vault.result.type` | `keyword` | The result type of the key vault operation | +|`cloud.provider` | `keyword` | Name of the cloud provider. | +|`cloud.service.name` | `keyword` | The cloud service name. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.dataset` | `keyword` | Name of the dataset. | +|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`http.response.status_code` | `long` | HTTP response status code. | +|`source.ip` | `ip` | IP address of the source. | +|`tls.version` | `keyword` | Numeric part of the version parsed from the original string. | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`user.name` | `keyword` | Short name or login of the user. | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | + diff --git a/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md b/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md index 1cf5ffd566..6bdc083515 100644 --- a/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md +++ b/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "dataset": "cloudtrail", "outcome": "success", "provider": "ec2.amazonaws.com", "type": [ @@ -57,17 +56,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "userData": "" }, "userIdentity": { - "accessKeyId": "ASIA1111111111111", "accountId": "1111111111", "arn": "arn:aws:iam::1111111111:root", "principalId": "1111111111", "sessionContext": { "attributes": { - "creationDate": "2022-08-31T07:20:10Z", "mfaAuthenticated": "true" - }, - "sessionIssuer": {}, - "webIdFederationData": {} + } }, "type": "Root" } @@ -77,28 +72,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "aws": { "cloudtrail": { - "event_version": "1.08", "flattened": { - "request_parameters": "{\"instanceId\": \"i-00000000000000000\", \"userData\": \"\"}", - "response_elements": "{\"_return\": true, \"requestId\": \"5fcae0f1-790c-4a86-85aa-0b3fd120e341\"}" - }, - "recipient_account_id": "1111111111", - "request_parameters": { - "userData": "" + "request_parameters": "{\"instanceId\": \"i-00000000000000000\", \"userData\": \"\"}" }, "user_identity": { "accessKeyId": "ASIA1111111111111", "accountId": "1111111111", "arn": "arn:aws:iam::1111111111:root", "principalId": "1111111111", - "sessionContext": { - "attributes": { - "creationDate": "2022-08-31T07:20:10Z", - "mfaAuthenticated": "true" - }, - "sessionIssuer": {}, - "webIdFederationData": {} - }, "type": "Root" } } @@ -155,7 +136,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "dataset": "cloudtrail", "outcome": "success", "provider": "cloudtrail.amazonaws.com", "type": [ @@ -169,17 +149,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "properties": { "recipientAccountId": "1111111111", "userIdentity": { - "accessKeyId": "ASIA1111111111111", "accountId": "1111111111", "arn": "arn:aws:iam::1111111111:root", "principalId": "1111111111", "sessionContext": { "attributes": { - "creationDate": "2020-08-12T07:04:40Z", "mfaAuthenticated": "false" - }, - "sessionIssuer": {}, - "webIdFederationData": {} + } }, "type": "Root" } @@ -189,24 +165,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "aws": { "cloudtrail": { - "event_version": "1.05", "flattened": { "request_parameters": "{\"eventCategory\": \"insight\", \"maxResults\": 50}" }, - "recipient_account_id": "1111111111", "user_identity": { "accessKeyId": "ASIA1111111111111", "accountId": "1111111111", "arn": "arn:aws:iam::1111111111:root", "principalId": "1111111111", - "sessionContext": { - "attributes": { - "creationDate": "2020-08-12T07:04:40Z", - "mfaAuthenticated": "false" - }, - "sessionIssuer": {}, - "webIdFederationData": {} - }, "type": "Root" } } @@ -259,7 +225,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "dataset": "cloudtrail", "outcome": "success", "provider": "ecs.amazonaws.com", "type": [ @@ -273,7 +238,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "properties": { "recipientAccountId": "007", "userIdentity": { - "accessKeyId": "AAAAAAAAA", "accountId": "00000", "arn": "arn:aws:iam::0:user/demo", "principalId": "demo", @@ -287,12 +251,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "aws": { "cloudtrail": { "cluster_name": "cluster_name", - "event_version": "1.08", "flattened": { - "request_parameters": "{\"capacityProviders\": [\"DEMO\"], \"cluster\": \"cluster_name\", \"defaultCapacityProviderStrategy\": [{\"base\": 0, \"capacityProvider\": \"DEMO\", \"weight\": 0}]}", - "response_elements": "{\"cluster\": {\"activeServicesCount\": 0, \"attachments\": [], \"attachmentsStatus\": \"UPDATE_IN_PROGRESS\", \"capacityProviders\": [\"DEMO\"], \"clusterArn\": \"arn:aws:ecs:eu-west-1:00000000:cluster/cluster_name\", \"clusterName\": \"cluster_name\", \"configuration\": {\"executeCommandConfiguration\": {\"logConfiguration\": {\"cloudWatchEncryptionEnabled\": true, \"cloudWatchLogGroupName\": \"/ecs/cluster/cluster_name\", \"s3EncryptionEnabled\": false}, \"logging\": \"OVERRIDE\"}}, \"defaultCapacityProviderStrategy\": [{\"base\": 0, \"capacityProvider\": \"DEMO\", \"weight\": 0}], \"pendingTasksCount\": 0, \"registeredContainerInstancesCount\": 0, \"runningTasksCount\": 0, \"settings\": [{\"name\": \"containerInsights\", \"value\": \"enabled\"}], \"statistics\": [], \"status\": \"ACTIVE\", \"tags\": []}}" + "request_parameters": "{\"capacityProviders\": [\"DEMO\"], \"cluster\": \"cluster_name\", \"defaultCapacityProviderStrategy\": [{\"base\": 0, \"capacityProvider\": \"DEMO\", \"weight\": 0}]}" }, - "recipient_account_id": "007", "user_identity": { "accessKeyId": "AAAAAAAAA", "accountId": "00000", @@ -347,7 +308,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "Client.AuthFailure", - "dataset": "cloudtrail", "outcome": "success", "provider": "ec2.amazonaws.com", "reason": "vm-import-export@amazon.com must have WRITE and READ_ACL permission on the S3 bucket.", @@ -364,7 +324,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "errorMessage": "vm-import-export@amazon.com must have WRITE and READ_ACL permission on the S3 bucket.", "recipientAccountId": "1111111111", "userIdentity": { - "accessKeyId": "AKIA1111111111", "accountId": "1111111111", "arn": "arn:aws:iam::1111111111:root", "principalId": "1111111111", @@ -376,11 +335,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "aws": { "cloudtrail": { - "event_version": "1.05", "flattened": { "request_parameters": "{\"exportToS3\": {\"containerFormat\": \"ova\", \"diskImageFormat\": \"VMDK\", \"s3Bucket\": \"qbo-export-instance-bucket\", \"s3Prefix\": \"vms\"}, \"instanceId\": \"i-00000000000000\", \"targetEnvironment\": \"vmware\"}" }, - "recipient_account_id": "1111111111", "user_identity": { "accessKeyId": "AKIA1111111111", "accountId": "1111111111", @@ -443,7 +400,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "dataset": "cloudtrail", "outcome": "success", "provider": "ec2.amazonaws.com", "type": [ @@ -460,17 +416,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "userData": "" }, "userIdentity": { - "accessKeyId": "ASI00000000000000000", "accountId": "111111111111", "arn": "arn:aws:iam::111111111111:root", "principalId": "111111111111", "sessionContext": { "attributes": { - "creationDate": "2022-09-01T06:46:50Z", "mfaAuthenticated": "true" - }, - "sessionIssuer": {}, - "webIdFederationData": {} + } }, "type": "Root" } @@ -480,28 +432,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "aws": { "cloudtrail": { - "event_version": "1.08", "flattened": { - "request_parameters": "{\"instanceId\": \"i-00000000000000000\", \"userData\": \"\"}", - "response_elements": "{\"_return\": true, \"requestId\": \"190dc310-2b3e-41bc-ad3f-970f95f24c1b\"}" - }, - "recipient_account_id": "111111111111", - "request_parameters": { - "userData": "" + "request_parameters": "{\"instanceId\": \"i-00000000000000000\", \"userData\": \"\"}" }, "user_identity": { "accessKeyId": "ASI00000000000000000", "accountId": "111111111111", "arn": "arn:aws:iam::111111111111:root", "principalId": "111111111111", - "sessionContext": { - "attributes": { - "creationDate": "2022-09-01T06:46:50Z", - "mfaAuthenticated": "true" - }, - "sessionIssuer": {}, - "webIdFederationData": {} - }, "type": "Root" } } @@ -548,7 +486,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "dataset": "cloudtrail", "outcome": "success", "provider": "iam.amazonaws.com", "type": [ @@ -562,7 +499,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "properties": { "recipientAccountId": "1111111111", "userIdentity": { - "accessKeyId": "AKIA11111111111111", "accountId": "1111111111", "arn": "arn:aws:iam::1111111111:root", "principalId": "1111111111", @@ -574,18 +510,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "aws": { "cloudtrail": { - "event_version": "1.05", "flattened": { - "request_parameters": "{\"userName\": \"user\"}", - "response_elements": "{\"user\": {\"arn\": \"arn:aws:iam::1111111111:user/user\", \"createDate\": \"Aug 12, 2020 12:16:24 PM\", \"path\": \"/\", \"userId\": \"AIDA11111111111111\", \"userName\": \"user\"}}" - }, - "recipient_account_id": "1111111111", - "request_parameters": { - "userName": "user" + "request_parameters": "{\"userName\": \"user\"}" }, "response_elements": { "user": { - "arn": "arn:aws:iam::1111111111:user/user", "userName": "user" } }, @@ -652,7 +581,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "dataset": "cloudtrail", "outcome": "success", "provider": "kms.amazonaws.com", "type": [ @@ -667,29 +595,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "recipientAccountId": "1111111111", "resources": [ { - "ARN": "arn:aws:kms:eu-west-3:1111111111:key/14eb3a8a-ffec-4b0e-a6da-e901d5e6ee9c", - "accountId": "1111111111", - "type": "AWS::KMS::Key" + "ARN": "arn:aws:kms:eu-west-3:1111111111:key/14eb3a8a-ffec-4b0e-a6da-e901d5e6ee9c" } ], "userIdentity": { - "accessKeyId": "ASIA11111111111111", "accountId": "1111111111", "arn": "arn:aws:sts::1111111111:assumed-role/user/ctstreamer-dev-s3", "principalId": "AROA11111111111111:ctstreamer-dev-s3", "sessionContext": { "attributes": { - "creationDate": "2020-08-12T12:03:12Z", "mfaAuthenticated": "false" }, "sessionIssuer": { - "accountId": "1111111111", "arn": "arn:aws:iam::1111111111:role/user", - "principalId": "AROA11111111111111", "type": "Role", "userName": "user" - }, - "webIdFederationData": {} + } }, "type": "AssumedRole" } @@ -699,36 +620,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "aws": { "cloudtrail": { - "event_version": "1.05", "flattened": { "request_parameters": "{\"encryptionAlgorithm\": \"SYMMETRIC_DEFAULT\", \"encryptionContext\": {\"aws:lambda:FunctionArn\": \"arn:aws:lambda:eu-west-3:1111111111:function:ctstreamer-dev-s3\"}}" }, - "recipient_account_id": "1111111111", - "resources": [ - { - "ARN": "arn:aws:kms:eu-west-3:1111111111:key/14eb3a8a-ffec-4b0e-a6da-e901d5e6ee9c", - "accountId": "1111111111", - "type": "AWS::KMS::Key" - } - ], "user_identity": { "accessKeyId": "ASIA11111111111111", "accountId": "1111111111", "arn": "arn:aws:sts::1111111111:assumed-role/user/ctstreamer-dev-s3", "principalId": "AROA11111111111111:ctstreamer-dev-s3", "sessionContext": { - "attributes": { - "creationDate": "2020-08-12T12:03:12Z", - "mfaAuthenticated": "false" - }, "sessionIssuer": { - "accountId": "1111111111", "arn": "arn:aws:iam::1111111111:role/user", - "principalId": "AROA11111111111111", - "type": "Role", "userName": "user" - }, - "webIdFederationData": {} + } }, "type": "AssumedRole" } @@ -784,7 +688,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "dataset": "cloudtrail", "outcome": "success", "provider": "rds.amazonaws.com", "type": [ @@ -801,17 +704,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "publiclyAccessible": false }, "userIdentity": { - "accessKeyId": "ASI00000000000000000", "accountId": "111111111111", "arn": "arn:aws:iam::111111111111:root", "principalId": "111111111111", "sessionContext": { "attributes": { - "creationDate": "2022-09-01T06:46:50Z", "mfaAuthenticated": "true" - }, - "sessionIssuer": {}, - "webIdFederationData": {} + } }, "type": "Root" } @@ -821,31 +720,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "aws": { "cloudtrail": { - "event_version": "1.08", "flattened": { - "request_parameters": "{\"allowMajorVersionUpgrade\": false, \"applyImmediately\": true, \"dBInstanceIdentifier\": \"database-1\", \"masterUserPassword\": \"****\", \"maxAllocatedStorage\": 1000}", - "response_elements": "{\"allocatedStorage\": 100, \"associatedRoles\": [], \"autoMinorVersionUpgrade\": true, \"availabilityZone\": \"eu-west-3b\", \"backupRetentionPeriod\": 7, \"backupTarget\": \"region\", \"cACertificateIdentifier\": \"rds-ca-2019\", \"copyTagsToSnapshot\": true, \"customerOwnedIpEnabled\": false, \"dBInstanceArn\": \"arn:aws:rds:eu-west-3:111111111111:db:database-1\", \"dBInstanceClass\": \"db.m6g.large\", \"dBInstanceIdentifier\": \"database-1\", \"dBInstanceStatus\": \"available\", \"dBParameterGroups\": [{\"dBParameterGroupName\": \"default.postgres13\", \"parameterApplyStatus\": \"in-sync\"}], \"dBSecurityGroups\": [], \"dBSubnetGroup\": {\"dBSubnetGroupDescription\": \"Created from the RDS Management Console\", \"dBSubnetGroupName\": \"default-vpc-00000000000000000\", \"subnetGroupStatus\": \"Complete\", \"subnets\": [{\"subnetAvailabilityZone\": {\"name\": \"eu-west-3a\"}, \"subnetIdentifier\": \"subnet-00000000000000000\", \"subnetOutpost\": {}, \"subnetStatus\": \"Active\"}], \"vpcId\": \"vpc-00000000000000000\"}, \"dbInstancePort\": 0, \"dbiResourceId\": \"db-00000000000000000000000000\", \"deletionProtection\": true, \"domainMemberships\": [], \"endpoint\": {\"address\": \"x.rds.amazonaws.com\", \"hostedZoneId\": \"ZMESEXB7ZGGQ3\", \"port\": 5432}, \"engine\": \"postgres\", \"engineVersion\": \"13.7\", \"enhancedMonitoringResourceArn\": \"arn:aws:logs:eu-west-3:111111111111:group:schema:stream:db-00000000000000000000000000\", \"httpEndpointEnabled\": false, \"iAMDatabaseAuthenticationEnabled\": false, \"instanceCreateTime\": \"Sep 1, 2022 12:47:35 PM\", \"iops\": 3000, \"kmsKeyId\": \"arn:aws:kms:eu-west-3:111111111111:key/a7dce59f-5b3c-4178-90e1-91103a32b26d\", \"latestRestorableTime\": \"Sep 1, 2022 2:07:11 PM\", \"licenseModel\": \"postgresql-license\", \"masterUsername\": \"postgres\", \"maxAllocatedStorage\": 1000, \"monitoringInterval\": 60, \"monitoringRoleArn\": \"arn:aws:iam::111111111111:role/role\", \"multiAZ\": true, \"networkType\": \"IPV4\", \"optionGroupMemberships\": [{\"optionGroupName\": \"default:postgres-13\", \"status\": \"in-sync\"}], \"pendingModifiedValues\": {\"masterUserPassword\": \"****\"}, \"performanceInsightsEnabled\": true, \"performanceInsightsKMSKeyId\": \"arn:aws:kms:eu-west-3:111111111111:key/a7dce59f-5b3c-4178-90e1-91103a32b26d\", \"performanceInsightsRetentionPeriod\": 7, \"preferredBackupWindow\": \"10:10-10:40\", \"preferredMaintenanceWindow\": \"thu:04:33-thu:05:03\", \"publiclyAccessible\": false, \"readReplicaDBInstanceIdentifiers\": [], \"secondaryAvailabilityZone\": \"eu-west-3c\", \"storageEncrypted\": true, \"storageThroughput\": 0, \"storageType\": \"io1\", \"tagList\": [], \"vpcSecurityGroups\": [{\"status\": \"active\", \"vpcSecurityGroupId\": \"sg-00000000000000000\"}]}" + "request_parameters": "{\"allowMajorVersionUpgrade\": false, \"applyImmediately\": true, \"dBInstanceIdentifier\": \"database-1\", \"masterUserPassword\": \"****\", \"maxAllocatedStorage\": 1000}" }, - "recipient_account_id": "111111111111", "response_elements": { "pendingModifiedValues": { "masterUserPassword": "****" - }, - "publiclyAccessible": false + } }, "user_identity": { "accessKeyId": "ASI00000000000000000", "accountId": "111111111111", "arn": "arn:aws:iam::111111111111:root", "principalId": "111111111111", - "sessionContext": { - "attributes": { - "creationDate": "2022-09-01T06:46:50Z", - "mfaAuthenticated": "true" - }, - "sessionIssuer": {}, - "webIdFederationData": {} - }, "type": "Root" } } @@ -889,7 +776,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "dataset": "cloudtrail", "outcome": "success", "provider": "sts.amazonaws.com", "type": [ @@ -904,9 +790,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "recipientAccountId": "1111111111", "resources": [ { - "ARN": "arn:aws:iam::1111111111:role/user", - "accountId": "1111111111", - "type": "AWS::IAM::Role" + "ARN": "arn:aws:iam::1111111111:role/user" } ], "userIdentity": { @@ -919,19 +803,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "aws": { "cloudtrail": { - "event_version": "1.05", "flattened": { - "request_parameters": "{\"roleArn\": \"arn:aws:iam::1111111111:role/user\", \"roleSessionName\": \"session-name\"}", - "response_elements": "{\"credentials\": {\"accessKeyId\": \"ASIA11111111111111\", \"expiration\": \"Aug 13, 2020, 12:03:12 AM\", \"sessionToken\": \"11111111111111111111111111111111111111111\"}}" + "request_parameters": "{\"roleArn\": \"arn:aws:iam::1111111111:role/user\", \"roleSessionName\": \"session-name\"}" }, - "recipient_account_id": "1111111111", - "resources": [ - { - "ARN": "arn:aws:iam::1111111111:role/user", - "accountId": "1111111111", - "type": "AWS::IAM::Role" - } - ], "user_identity": { "type": "AWSService" } @@ -982,7 +856,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "dataset": "cloudtrail", "outcome": "success", "provider": "signin.amazonaws.com", "type": [ @@ -996,7 +869,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "properties": { "recipientAccountId": "1111111111", "userIdentity": { - "accessKeyId": "", "accountId": "1111111111", "arn": "arn:aws:iam::1111111111:root", "principalId": "1111111111", @@ -1008,11 +880,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "aws": { "cloudtrail": { - "event_version": "1.05", - "flattened": { - "response_elements": "{\"ConsoleLogin\": \"Success\"}" - }, - "recipient_account_id": "1111111111", "user_identity": { "accessKeyId": "", "accountId": "1111111111", @@ -1071,7 +938,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "dataset": "cloudtrail", "outcome": "success", "provider": "sts.amazonaws.com", "type": [ @@ -1086,9 +952,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "recipientAccountId": "1111111111", "resources": [ { - "ARN": "arn:aws:iam::1111111111:role/user", - "accountId": "1111111111", - "type": "AWS::IAM::Role" + "ARN": "arn:aws:iam::1111111111:role/user" } ], "userIdentity": { @@ -1101,19 +965,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "aws": { "cloudtrail": { - "event_version": "1.05", "flattened": { - "request_parameters": "{\"roleArn\": \"arn:aws:iam::1111111111:role/user\", \"roleSessionName\": \"session-name\"}", - "response_elements": "{\"credentials\": {\"accessKeyId\": \"ASIA11111111111111\", \"expiration\": \"Aug 13, 2020, 12:03:12 AM\", \"sessionToken\": \"1111111111111111111111111111111111111111111111111111111111111111111111111\"}}" + "request_parameters": "{\"roleArn\": \"arn:aws:iam::1111111111:role/user\", \"roleSessionName\": \"session-name\"}" }, - "recipient_account_id": "1111111111", - "resources": [ - { - "ARN": "arn:aws:iam::1111111111:role/user", - "accountId": "1111111111", - "type": "AWS::IAM::Role" - } - ], "user_identity": { "type": "AWSService" } @@ -1165,7 +1019,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "NoSuchBucketPolicy", - "dataset": "cloudtrail", "outcome": "success", "provider": "s3.amazonaws.com", "type": [ @@ -1181,17 +1034,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "target": "network-traffic", "type": "AwsCloudTrailInsight" }, - "aws": { - "cloudtrail": { - "event_version": "1.08", - "insight_details": { - "context": "{\"attributions\": [{\"attribute\": \"userIdentityArn\", \"baseline\": [{\"average\": 0.0020868905, \"value\": \"arn:aws:iam::1111111111:root\"}, {\"average\": 9.48587e-05, \"value\": \"arn:aws:sts::1111111111:assumed-role/AWSServiceRoleForConfig/AWSConfig-Describe\"}], \"insight\": [{\"average\": 1.3333333333, \"value\": \"arn:aws:iam::1111111111:root\"}]}, {\"attribute\": \"userAgent\", \"baseline\": [{\"average\": 0.0010434453, \"value\": \"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.204-124.362.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]\"}, {\"average\": 0.0009485866, \"value\": \"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.207-126.363.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]\"}, {\"average\": 0.0001897173, \"value\": \"AWS Internal\"}], \"insight\": [{\"average\": 0.6666666667, \"value\": \"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.204-124.362.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]\"}, {\"average\": 0.6666666667, \"value\": \"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.207-126.363.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]\"}]}], \"statistics\": {\"baseline\": {\"average\": 0.0021817492}, \"baselineDuration\": 10542, \"insight\": {\"average\": 1.3333333333}, \"insightDuration\": 3}}", - "state": "End", - "type": "ApiErrorRateInsight" - }, - "recipient_account_id": "1111111111" - } - }, "cloud": { "provider": "aws", "region": "eu-west-3", @@ -1215,7 +1057,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "dataset": "cloudtrail", "outcome": "success", "provider": "elasticfilesystem.amazonaws.com", "type": [ @@ -1230,34 +1071,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "recipientAccountId": "1111111111", "resources": [ { - "ARN": "arn:aws:elasticfilesystem:eu-central-1:1111111111:file-system/fs-00000000", - "accountId": "1111111111", - "type": "AWS::EFS::FileSystem" + "ARN": "arn:aws:elasticfilesystem:eu-central-1:1111111111:file-system/fs-00000000" }, { - "ARN": "arn:aws:elasticfilesystem:eu-central-1:1111111111:access-point/fsap-00000000000000000", - "accountId": "1111111111", - "type": "AWS::EFS::AccessPoint" + "ARN": "arn:aws:elasticfilesystem:eu-central-1:1111111111:access-point/fsap-00000000000000000" } ], "userIdentity": { - "accessKeyId": "AS000000000000000000", "accountId": "1111111111", "arn": "arn:aws:sts::1111111111:assumed-role/role/1111111111111111111111111", "principalId": "AR0000000000000000:1111111111111111111111111", "sessionContext": { "attributes": { - "creationDate": "2022-09-09T07:45:14Z", "mfaAuthenticated": "false" }, "sessionIssuer": { - "accountId": "1111111111", "arn": "arn:aws:iam::1111111111:role/service-role/username", - "principalId": "AR0000000000000000", "type": "Role", "userName": "username" - }, - "webIdFederationData": {} + } }, "type": "AssumedRole" } @@ -1267,38 +1099,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "aws": { "cloudtrail": { - "event_version": "1.08", - "recipient_account_id": "1111111111", - "resources": [ - { - "ARN": "arn:aws:elasticfilesystem:eu-central-1:1111111111:file-system/fs-00000000", - "accountId": "1111111111", - "type": "AWS::EFS::FileSystem" - }, - { - "ARN": "arn:aws:elasticfilesystem:eu-central-1:1111111111:access-point/fsap-00000000000000000", - "accountId": "1111111111", - "type": "AWS::EFS::AccessPoint" - } - ], "user_identity": { "accessKeyId": "AS000000000000000000", "accountId": "1111111111", "arn": "arn:aws:sts::1111111111:assumed-role/role/1111111111111111111111111", "principalId": "AR0000000000000000:1111111111111111111111111", "sessionContext": { - "attributes": { - "creationDate": "2022-09-09T07:45:14Z", - "mfaAuthenticated": "false" - }, "sessionIssuer": { - "accountId": "1111111111", "arn": "arn:aws:iam::1111111111:role/service-role/username", - "principalId": "AR0000000000000000", - "type": "Role", "userName": "username" - }, - "webIdFederationData": {} + } }, "type": "AssumedRole" } @@ -1343,7 +1153,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "dataset": "cloudtrail", "outcome": "success", "provider": "signin.amazonaws.com", "type": [ @@ -1368,11 +1177,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "aws": { "cloudtrail": { - "event_version": "1.08", - "flattened": { - "response_elements": "{\"ConsoleLogin\": \"Success\"}" - }, - "recipient_account_id": "111111111", "user_identity": { "accountId": "111111111", "arn": "arn:aws:sts::111111111:assumed-role/role/user@example.org", @@ -1438,25 +1242,11 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.errorMessage` | `keyword` | The message of the error associated to the request | |`action.properties.recipientAccountId` | `keyword` | The account ID that received the event | |`action.properties.requestParameters.userData` | `keyword` | The userData parameters sent with the request | -|`action.properties.resources` | `list` | A list of resources accessed in the event | -|`action.properties.responseElements.pendingModifiedValues.masterUserPassword` | `keyword` | The new master password for the RDS instance | |`action.properties.responseElements.publiclyAccessible` | `boolean` | Whether the requested ressource was public | -|`action.properties.userIdentity` | `object` | Information about the user that made the request | |`action.target` | `keyword` | The target of the action | |`aws.cloudtrail.cluster_name` | `keyword` | The name of the cluster | -|`aws.cloudtrail.event_version` | `keyword` | The version of the event | |`aws.cloudtrail.flattened.request_parameters` | `keyword` | The flattened version of the field requestParameters | -|`aws.cloudtrail.flattened.response_elements` | `keyword` | The flattened version of the field responseElements | -|`aws.cloudtrail.insight_details.context` | `keyword` | The context of the insight | -|`aws.cloudtrail.insight_details.state` | `keyword` | The status of the insight | -|`aws.cloudtrail.insight_details.type` | `keyword` | The type of the insight | -|`aws.cloudtrail.recipient_account_id` | `keyword` | The account ID that received the event | -|`aws.cloudtrail.request_parameters.userData` | `keyword` | The userData parameters sent with the request | -|`aws.cloudtrail.request_parameters.userName` | `keyword` | The name of the user sent in the request | -|`aws.cloudtrail.resources` | `list` | A list of resources accessed in the event | |`aws.cloudtrail.response_elements.pendingModifiedValues.masterUserPassword` | `keyword` | The new master password for the RDS instance | -|`aws.cloudtrail.response_elements.publiclyAccessible` | `boolean` | Whether the requested ressource was public | -|`aws.cloudtrail.response_elements.user.arn` | `keyword` | The arn of the user in the response | |`aws.cloudtrail.response_elements.user.userName` | `keyword` | The name of the user in the response | |`cloud.account.id` | `keyword` | The cloud account or organization id. | |`cloud.instance.id` | `keyword` | Instance ID of the host machine. | @@ -1466,7 +1256,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | -|`event.dataset` | `keyword` | Name of the dataset. | |`event.provider` | `keyword` | Source of the event. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |