Solved: extract fields

Didalready · ‎06-27-2024

I am trying to get DeviceName and DeviceToken to var from 365 log
first I use eval Device =mvindex('ModifiedProperties{}.NewValue', 0)
which retuns another MV with the data I want but can seem to get to the field. Below is what Device shows in editor.
Any help? What something like eval DeviceName = ModifiedProperties{}.NewValue{0}.DeviceName but nothing is right I try. Tried to save as sting and extract but even that I cant figure out. Its the Mv in a MV I think is throwing me.

[
{
"DeviceName": "iPhone 13 mini",
"DeviceToken": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"DeviceTag": "SoftwareTokenActivated",
"PhoneAppVersion": "6.8.11",
"OathTokenTimeDrift": 0,
"DeviceId": "00000000-0000-0000-0000-000000000000",
"Id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"TimeInterval": 0,
"AuthenticationType": 3,
"NotificationType": 2,
"LastAuthenticatedTimestamp": "2024-06-27T15:00:42.8784693Z",
"AuthenticatorFlavor": null,
"HashFunction": null,
"TenantDeviceId": null,
"SecuredPartitionId": 0,
"SecuredKeyId": 0
}
]

Didalready · ‎06-27-2024

Got working, not way a wanted but works

index=1087_m365 sourcetype="o365:management:activity" authentication_service=AzureActiveDirectory "Actor{}.ID"="Azure MFA StrongAuthenticationService" 
|eval Device =mvindex('ModifiedProperties{}.NewValue', 0)
| rex field=Device "\"DeviceName\": \"(?<DeviceName>[^\"]+)\""
| rex field=Device "\"PhoneAppVersion\": \"(?<PhoneAppVersion>[^\"]+)\""
| rex field=Device "\"DeviceToken\": \"(?<DeviceToken>[^\"]+)\""
| table user DeviceName PhoneAppVersion DeviceToken

View solution in original post

Didalready · ‎06-27-2024

Got working, not way a wanted but works

index=1087_m365 sourcetype="o365:management:activity" authentication_service=AzureActiveDirectory "Actor{}.ID"="Azure MFA StrongAuthenticationService" 
|eval Device =mvindex('ModifiedProperties{}.NewValue', 0)
| rex field=Device "\"DeviceName\": \"(?<DeviceName>[^\"]+)\""
| rex field=Device "\"PhoneAppVersion\": \"(?<PhoneAppVersion>[^\"]+)\""
| rex field=Device "\"DeviceToken\": \"(?<DeviceToken>[^\"]+)\""
| table user DeviceName PhoneAppVersion DeviceToken

Didalready · ‎06-27-2024

{"CreationTime": "2024-06-27T16:33:32", "Id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "Operation": "Update user.", "OrganizationId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "RecordType": 8, "ResultStatus": "Success", "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "xxxxxxxxxxxxcom", "UserId": "ServicePrincipal_fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"UserType\":\"Member\"}"}, {"Name": "extendedAuditEventCategory", "Value": "User"}], "ModifiedProperties": [{"Name": "StrongAuthenticationPhoneAppDetail", "NewValue": "[\r\n {\r\n \"DeviceName\": \"SM-A205U\",\r\n \"DeviceToken\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"DeviceTag\": \"Android\",\r\n \"PhoneAppVersion\": \"6.2404.2444\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"Id\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"TimeInterval\": 0,\r\n \"AuthenticationType\": 3,\r\n \"NotificationType\": 4,\r\n \"LastAuthenticatedTimestamp\": \"2024-05-16T15:01:08.3691641Z\",\r\n \"AuthenticatorFlavor\": \"Authenticator\",\r\n \"HashFunction\": null,\r\n \"TenantDeviceId\": null,\r\n \"SecuredPartitionId\": 0,\r\n \"SecuredKeyId\": 0\r\n },\r\n {\r\n \"DeviceName\": \"SM-A205U\",\r\n \"DeviceToken\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxYJxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"DeviceTag\": \"SoftwareTokenActivated\",\r\n \"PhoneAppVersion\": \"6.2404.2444\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"Id\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"TimeInterval\": 0,\r\n \"AuthenticationType\": 3,\r\n \"NotificationType\": 4,\r\n \"LastAuthenticatedTimestamp\": \"2024-05-14T16:08:39.6982523Z\",\r\n \"AuthenticatorFlavor\": \"Authenticator\",\r\n \"HashFunction\": null,\r\n \"TenantDeviceId\": null,\r\n \"SecuredPartitionId\": 0,\r\n \"SecuredKeyId\": 0\r\n },\r\n {\r\n \"DeviceName\": \"SM-S921U\",\r\n \"DeviceToken\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"DeviceTag\": \"Android\",\r\n \"PhoneAppVersion\": \"6.2406.4052\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"Id\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"TimeInterval\": 0,\r\n \"AuthenticationType\": 3,\r\n \"NotificationType\": 4,\r\n \"LastAuthenticatedTimestamp\": \"2024-06-25T16:23:06.2912051Z\",\r\n \"AuthenticatorFlavor\": \"Authenticator\",\r\n \"HashFunction\": \"hmacsha256\",\r\n \"TenantDeviceId\": null,\r\n \"SecuredPartitionId\": 0,\r\n \"SecuredKeyId\": 0\r\n },\r\n {\r\n \"DeviceName\": \"SM-A205U\",\r\n \"DeviceToken\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"DeviceTag\": \"Android\",\r\n \"PhoneAppVersion\": \"6.2404.2444\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"Id\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"TimeInterval\": 0,\r\n \"AuthenticationType\": 3,\r\n \"NotificationType\": 4,\r\n \"LastAuthenticatedTimestamp\": \"2024-05-16T15:01:08.3691641Z\",\r\n \"AuthenticatorFlavor\": \"Authenticator\",\r\n \"HashFunction\": null,\r\n \"TenantDeviceId\": null,\r\n \"SecuredPartitionId\": 0,\r\n \"SecuredKeyId\": 0\r\n },\r\n {\r\n \"DeviceName\": \"SM-A205U\",\r\n \"DeviceToken\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"DeviceTag\": \"SoftwareTokenActivated\",\r\n \"PhoneAppVersion\": \"6.2404.2444\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": \"00000000-0000-0000-0000-000000000000\",\r\n \"Id\": \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\r\n \"TimeInterval\": 0,\r\n \"AuthenticationType\": 3,\r\n \"NotificationType\": 4,\r\n \"LastAuthenticatedTimestamp\": \"2024-05-14T16:08:39.6982523Z\",\r\n \"AuthenticatorFlavor\": \"Authenticator\",\r\n \"HashFunction\": null,\r\n \"TenantDeviceId\": null,\r\n \"SecuredPartitionId\": 0,\r\n \"SecuredKeyId\": 0\r\n }\r\n]"}, {"Name": "Included Updated Properties", "NewValue": "StrongAuthenticationPhoneAppDetail", "OldValue": ""}, {"Name": "TargetId.UserType", "NewValue": "Member", "OldValue": ""}], "Actor": [{"ID": "Azure MFA StrongAuthenticationService", "Type": 1}, {"ID": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "Type": 2}, {"ID": "ServicePrincipalxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "Type": 2}, {"ID": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}], "ActorContextId": "xxxxxxxxxxxxxxxxxxxxxxxxxxx", "InterSystemsId": "xxxxxxxxxxxxxxxxxxxxxxxxxx", "IntraSystemId": "xxxxxxxxxxxxxxxxxxxxxxxxxx", "SupportTicketId": "", "Target": [{"ID": "Userxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "Type": 2}, {"ID": "xxxxxxxxxxxxxxxxxxxxxxx", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "Type": 5}, {"ID": "xxxxxxxxxxxxxxxxxxxxxxxx", "Type": 3}], "TargetContextId": "4xxxxxxxxxxxxxxxxxxxxxxa48xxxxxxx46"}

ITWhisperer · ‎06-27-2024

Please share your full event in raw format, anonymised appropriately.

extract fields

field extraction

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?

extract fields

field extraction

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside