extract fields

Didalready — Thu, 27 Jun 2024 16:37:14 GMT

I am trying to get DeviceName and DeviceToken to var from 365 log
first I use eval Device =mvindex('ModifiedProperties{}.NewValue', 0)
which retuns another MV with the data I want but can seem to get to the field. Below is what Device shows in editor.
Any help? What something like eval DeviceName = ModifiedProperties{}.NewValue{0}.DeviceName but nothing is right I try. Tried to save as sting and extract but even that I cant figure out. Its the Mv in a MV I think is throwing me.

[ { "DeviceName": "iPhone 13 mini", "DeviceToken": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "DeviceTag": "SoftwareTokenActivated", "PhoneAppVersion": "6.8.11", "OathTokenTimeDrift": 0, "DeviceId": "00000000-0000-0000-0000-000000000000", "Id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "TimeInterval": 0, "AuthenticationType": 3, "NotificationType": 2, "LastAuthenticatedTimestamp": "2024-06-27T15:00:42.8784693Z", "AuthenticatorFlavor": null, "HashFunction": null, "TenantDeviceId": null, "SecuredPartitionId": 0, "SecuredKeyId": 0 } ]

Re: extract fields

ITWhisperer — Thu, 27 Jun 2024 16:43:57 GMT

Please share your full event in raw format, anonymised appropriately.

Re: extract fields

Didalready — Thu, 27 Jun 2024 17:42:52 GMT

{"CreationTime": "2024-06-27T16:33:32", "Id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "Operation": "Update user.", "OrganizationId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "RecordType": 8, "ResultStatus": "Success", "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "xxxxxxxxxxxxcom", "UserId": "ServicePrincipal_fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"UserType\":\"Member\"}"}, {"Name": "extendedAuditEventCategory", "Value": "User"}], "ModifiedProperties": [{"Name": "StrongAuthenticationPhoneAppDetail", "NewValue": "[\r\n {\r\n \"DeviceName\": \"SM-A205U\",\r\n \"DeviceToken\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"DeviceTag\": \"Android\",\r\n \"PhoneAppVersion\": \"6.2404.2444\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"Id\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"TimeInterval\": 0,\r\n \"AuthenticationType\": 3,\r\n \"NotificationType\": 4,\r\n \"LastAuthenticatedTimestamp\": \"2024-05-16T15:01:08.3691641Z\",\r\n \"AuthenticatorFlavor\": \"Authenticator\",\r\n \"HashFunction\": null,\r\n \"TenantDeviceId\": null,\r\n \"SecuredPartitionId\": 0,\r\n \"SecuredKeyId\": 0\r\n },\r\n {\r\n \"DeviceName\": \"SM-A205U\",\r\n \"DeviceToken\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxYJxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"DeviceTag\": \"SoftwareTokenActivated\",\r\n \"PhoneAppVersion\": \"6.2404.2444\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"Id\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"TimeInterval\": 0,\r\n \"AuthenticationType\": 3,\r\n \"NotificationType\": 4,\r\n \"LastAuthenticatedTimestamp\": \"2024-05-14T16:08:39.6982523Z\",\r\n \"AuthenticatorFlavor\": \"Authenticator\",\r\n \"HashFunction\": null,\r\n \"TenantDeviceId\": null,\r\n \"SecuredPartitionId\": 0,\r\n \"SecuredKeyId\": 0\r\n },\r\n {\r\n \"DeviceName\": \"SM-S921U\",\r\n \"DeviceToken\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"DeviceTag\": \"Android\",\r\n \"PhoneAppVersion\": \"6.2406.4052\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"Id\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"TimeInterval\": 0,\r\n \"AuthenticationType\": 3,\r\n \"NotificationType\": 4,\r\n \"LastAuthenticatedTimestamp\": \"2024-06-25T16:23:06.2912051Z\",\r\n \"AuthenticatorFlavor\": \"Authenticator\",\r\n \"HashFunction\": \"hmacsha256\",\r\n \"TenantDeviceId\": null,\r\n \"SecuredPartitionId\": 0,\r\n \"SecuredKeyId\": 0\r\n },\r\n {\r\n \"DeviceName\": \"SM-A205U\",\r\n \"DeviceToken\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"DeviceTag\": \"Android\",\r\n \"PhoneAppVersion\": \"6.2404.2444\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"Id\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"TimeInterval\": 0,\r\n \"AuthenticationType\": 3,\r\n \"NotificationType\": 4,\r\n \"LastAuthenticatedTimestamp\": \"2024-05-16T15:01:08.3691641Z\",\r\n \"AuthenticatorFlavor\": \"Authenticator\",\r\n \"HashFunction\": null,\r\n \"TenantDeviceId\": null,\r\n \"SecuredPartitionId\": 0,\r\n \"SecuredKeyId\": 0\r\n },\r\n {\r\n \"DeviceName\": \"SM-A205U\",\r\n \"DeviceToken\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"DeviceTag\": \"SoftwareTokenActivated\",\r\n \"PhoneAppVersion\": \"6.2404.2444\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"Id\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"TimeInterval\": 0,\r\n \"AuthenticationType\": 3,\r\n \"NotificationType\": 4,\r\n \"LastAuthenticatedTimestamp\": \"2024-05-14T16:08:39.6982523Z\",\r\n \"AuthenticatorFlavor\": \"Authenticator\",\r\n \"HashFunction\": null,\r\n \"TenantDeviceId\": null,\r\n \"SecuredPartitionId\": 0,\r\n \"SecuredKeyId\": 0\r\n }\r\n]"}, {"Name": "Included Updated Properties", "NewValue": "StrongAuthenticationPhoneAppDetail", "OldValue": ""}, {"Name": "TargetId.UserType", "NewValue": "Member", "OldValue": ""}], "Actor": [{"ID": "Azure MFA StrongAuthenticationService", "Type": 1}, {"ID": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "Type": 2}, {"ID": "ServicePrincipalxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "Type": 2}, {"ID": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}], "ActorContextId": "xxxxxxxxxxxxxxxxxxxxxxxxxxx", "InterSystemsId": "xxxxxxxxxxxxxxxxxxxxxxxxxx", "IntraSystemId": "xxxxxxxxxxxxxxxxxxxxxxxxxx", "SupportTicketId": "", "Target": [{"ID": "Userxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "Type": 2}, {"ID": "xxxxxxxxxxxxxxxxxxxxxxx", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "Type": 5}, {"ID": "xxxxxxxxxxxxxxxxxxxxxxxx", "Type": 3}], "TargetContextId": "4xxxxxxxxxxxxxxxxxxxxxxa48xxxxxxx46"}

Re: extract fields

Didalready — Thu, 27 Jun 2024 21:15:13 GMT

Got working, not way a wanted but works

index=1087_m365 sourcetype="o365:management:activity" authentication_service=AzureActiveDirectory "Actor{}.ID"="Azure MFA StrongAuthenticationService" |eval Device =mvindex('ModifiedProperties{}.NewValue', 0) | rex field=Device "\"DeviceName\": \"(?<DeviceName>[^\"]+)\"" | rex field=Device "\"PhoneAppVersion\": \"(?<PhoneAppVersion>[^\"]+)\"" | rex field=Device "\"DeviceToken\": \"(?<DeviceToken>[^\"]+)\"" | table user DeviceName PhoneAppVersion DeviceToken

topic Re: extract fields in Splunk Search

extract fields

Re: extract fields

Re: extract fields

Re: extract fields