-
Notifications
You must be signed in to change notification settings - Fork 359
/
o365_change_user_license_.yml
100 lines (100 loc) · 5.03 KB
/
o365_change_user_license_.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
name: O365 Change user license.
id: 1029a20d-3d0d-4fb9-b5e2-22ac5380b20a
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for O365 Change user license.
source: o365
sourcetype: o365:management:activity
separator: Operation
supported_TA:
- name: Splunk Add-on for Microsoft Office 365
url: https://splunkbase.splunk.com/app/4055
version: 4.5.2
fields:
- _time
- ActorContextId
- Actor{}.ID
- Actor{}.Type
- AzureActiveDirectoryEventType
- CreationTime
- ExtendedProperties{}.Name
- ExtendedProperties{}.Value
- Id
- InterSystemsId
- IntraSystemId
- ObjectId
- Operation
- OrganizationId
- RecordType
- ResultStatus
- SupportTicketId
- TargetContextId
- Target{}.ID
- Target{}.Type
- UserId
- UserKey
- UserType
- Version
- Workload
- action
- additionalDetails
- app
- authentication_service
- change_type
- command
- dataset_name
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- dest
- dest_name
- dvc
- event_type
- eventtype
- extendedAuditEventCategory
- host
- index
- linecount
- object
- object_attrs
- object_category
- punct
- record_type
- signature
- source
- sourcetype
- splunk_server
- src_user
- status
- tag
- tag::eventtype
- timeendpos
- timestartpos
- user
- user_id
- user_type
- vendor_account
- vendor_product
example_log: '{"CreationTime": "2023-09-11T15:55:46", "Id": "1e39f32d-081d-4494-994a-533b57f91df7",
"Operation": "Change user license.", "OrganizationId": "bbad9541-eb53-4533-bcef-2b76182c3b75",
"RecordType": 8, "ResultStatus": "Success", "UserKey": "[email protected]",
"UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "[email protected]",
"UserId": "[email protected]", "AzureActiveDirectoryEventType":
1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"id\":\"64c07906-cb25-4d37-b38c-a862f2e49671\",\"seq\":\"6\",\"b\":\"://admin.microsoft.com;https://wusportalprv.office.com;https://auth.microsoftonline.com;https://portal.office.com;https://portal-sdf.office.com/;https://portal.office.com/;https://cp.portal.office.com/;https://scuportalprv.office.com;https://ncuportalprv.office.com;https://ncuportal.office.com;https://weuportal.office.com;https://eusportal.office.com;https://neuportal.office.com;https://scuportal.office.com;https://seaportal.office.com;https://wusportal.office.com;https://easportal.office.com;https://wjpportal.office.com;https://ejpportal.office.com;https://nukportal.office.com;https://sukportal.office.com;https://admin-ignite.microsoft.com;https://admin-sdf.microsoft.com;https://wukportal.office.com/\\\\\\\"},{\\\\\\\"Name\\\\\\\":\\\\\\\"SPN\\\\\\\",\\\\\\\"OldValue\\\\\\\":null,\\\\\\\"NewValue\\\\\\\":\\\\\\\"Microsoft.Office365Portal;00000006-0000-0ff1-ce00-000000000000;00000006-0000-0ff1-ce00-000000000000/portal.microsoftonline.com;https://ncuportalprv-staging.office.com;https://scuportalprv-staging.office.com;https://admin.microsoft365.com;https://portal-sdf.apps.mil/;https://portal-sdf.apps.mil;https://portal.apps.mil/;https://portal.apps.mil;https://portal-sdf.office365.us/;https://portal-sdf.office365.us;https://portal.office365.us/;https://portal.office365.us;https://portal.microsoft.com;https://admin.microsoft.com;https://wusportalprv.office.com;https://auth.microsoftonline.com;https://portal.office.com;https://portal-sdf.office.com/;https://portal.office.com/;https://cp.portal.office.com/;https://scuportalprv.office.com;https://ncuportalprv.office.com;https://ncuportal.office.com;https://weuportal.office.com;https://eusportal.office.com;https://neuportal.office.com;https://scuportal.office.com;https://seaportal.office.com;https://wusportal.office.com;https://easportal.office.com;https://wjpportal.office.com;https://ejpportal.office.com;https://nukportal.office.com;https://sukportal.office.com;https://admin-ignite.microsoft.com;https://admin-sdf.microsoft.com;https://wukportal.office.com/\\\\\\\"}]\\\",\\\"additionalDetails\\\":\\\"{\\\\\\\"User-Agent\\\\\\\":\\\\\\\"O365AdminPortal\\\\\\\"}\\\"}\",\"c\":\"6\"}"},
{"Name": "extendedAuditEventCategory", "Value": "User"}], "ModifiedProperties":
[], "Actor": [{"ID": "[email protected]", "Type": 5}, {"ID":
"1003BFFD98415B4E", "Type": 3}, {"ID": "Microsoft Office 365 Portal", "Type": 1},
{"ID": "00000006-0000-0ff1-ce00-000000000000", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f",
"Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User",
"Type": 2}], "ActorContextId": "bbad9541-eb53-4533-bcef-2b76182c3b75", "InterSystemsId":
"0817f79e-f0ea-4518-9c21-7babc9a36a79", "IntraSystemId": "6ae5503d-8764-4f6f-9547-668f4b2f82ca",
"SupportTicketId": "", "Target": [{"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72",
"Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User",
"Type": 2}, {"ID": "[email protected]", "Type": 5}, {"ID":
"10032002CC029AE9", "Type": 3}], "TargetContextId": "bbad9541-eb53-4533-bcef-2b76182c3b75"}'