karimaloulou commited on
Commit
a039a4b
·
verified ·
1 Parent(s): f4c58dc

Upload 3 files

Browse files
Files changed (3) hide show
  1. descriptions.py +437 -0
  2. format_input.py +259 -0
  3. testing_input.py +34 -0
descriptions.py ADDED
@@ -0,0 +1,437 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ from api.format_input import (
2
+ detect_log_type,
3
+ )
4
+ def detecting_types(chaine):
5
+ types = []
6
+ lignes = chaine.splitlines()
7
+ for l in lignes:
8
+ types.append(detect_log_type(l))
9
+ print ('available types!')
10
+ print ('TYPES!!! ',types)
11
+ return types
12
+
13
+ # log_type = detect_log_type(log_input)
14
+ def descriptions (log_input):
15
+ for log_type in detecting_types(log_input):
16
+ if log_type == "sophos":
17
+ description += """ the columns from Sophos logs with their descriptions:
18
+ sourcetype: The type of source that generated the log entry.
19
+ _raw: The raw log message as received.
20
+ action: The action taken by the firewall.
21
+ app: The application associated with the session.
22
+ app_category: Category of the application.
23
+ app_is_cloud: Indicates if the application is cloud-based.
24
+ app_name: Name of the application.
25
+ app_resolved_by: Method by which the application was identified.
26
+ app_risk: Risk level of the application.
27
+ app_technology: Technology type of the application.
28
+ bytes: Total number of bytes transferred.
29
+ bytes_in: Number of bytes received.
30
+ bytes_out: Number of bytes sent.
31
+ con_id: Connection ID.
32
+ dest: Destination IP address.
33
+ dest_mac: Destination MAC address.
34
+ dest_port: Destination port.
35
+ dest_zone: Destination zone.
36
+ device_model: Model of the device.
37
+ device_name: Name of the device.
38
+ device_serial_id: Serial ID of the device.
39
+ dst_country: Destination country.
40
+ duration: Duration of the session.
41
+ dvc: Device name.
42
+ ether_type: Ethernet type.
43
+ fw_rule_id: Firewall rule ID.
44
+ fw_rule_type: Type of firewall rule.
45
+ hb_status: Heartbeat status.
46
+ host: Host IP address.
47
+ in_display_interface: Display interface name.
48
+ in_interface: Ingress interface.
49
+ log_component: Log component.
50
+ log_id: Log ID.
51
+ log_occurrence: Number of occurrences of the log entry.
52
+ log_subtype: Subtype of the log.
53
+ log_type: Type of log.
54
+ log_version: Version of the log format.
55
+ nat_rule_id: NAT rule ID.
56
+ packets: Total number of packets transferred.
57
+ packets_in: Number of packets received.
58
+ packets_out: Number of packets sent.
59
+ protocol: Protocol used in the session.
60
+ qualifier: Qualifier for the log entry.
61
+ severity: Severity level of the event.
62
+ src: Source IP address.
63
+ src_country: Source country.
64
+ src_interface: Source interface.
65
+ src_mac: Source MAC address.
66
+ src_port: Source port.
67
+ src_zone: Source zone.
68
+ timeendpos: End position of the timestamp in the raw log.
69
+ timestamp: Timestamp of the event.
70
+ timestartpos: Start position of the timestamp in the raw log.
71
+ transport: Transport protocol used.
72
+ _bkt: Bucket name where the event is stored in Splunk.
73
+ _cd: Composite ID of the event.
74
+ _indextime: Epoch time when the event was indexed.
75
+ _kv: Key-value extraction indicator.
76
+ _serial: Sequence number of the event.
77
+ _si: Splunk indexer and index information.
78
+ _sourcetype: Source type of the event data.
79
+ _time: Timestamp when the event occurred.
80
+ """
81
+ elif log_type == "azure-sign-in":
82
+ description += """ the columns from Azure-sign-in logs with their descriptions:
83
+ Source Type:
84
+ Type or category of the log.
85
+
86
+ Application Information:
87
+ - appDisplayName: The application name displayed in the Azure Portal.
88
+ - appId: The application identifier in Azure Active Directory.
89
+ - clientAppUsed: The legacy client used for sign-in activity.
90
+ - conditionalAccessStatus: The status of the conditional access policy triggered.
91
+ - correlationId: The identifier sent from the client when sign-in is initiated.
92
+ - createdDateTime: The date and time the sign-in was initiated in UTC.
93
+
94
+ Device Details:
95
+ - deviceDetail.browser: Browser details.
96
+ - deviceDetail.deviceId: Device ID.
97
+ - deviceDetail.displayName: Device display name.
98
+ - deviceDetail.isCompliant: Compliance status.
99
+ - deviceDetail.isManaged: Managed status.
100
+ - deviceDetail.operatingSystem: Operating system details.
101
+ - deviceDetail.trustType: Trust type.
102
+
103
+ Host Information:
104
+ - host: Tenant identifier.
105
+ - id: Sign-in activity identifier.
106
+ - ipAddress: Client IP address.
107
+ - isInteractive: Indicates whether a sign-in is interactive.
108
+
109
+ Location:
110
+ - location.city: City.
111
+ - location.countryOrRegion: Country or region.
112
+ - location.geoCoordinates.altitude: Altitude.
113
+ - location.geoCoordinates.latitude: Latitude.
114
+ - location.geoCoordinates.longitude: Longitude.
115
+ - location.state: State.
116
+
117
+ Resource Information:
118
+ - resourceDisplayName: Resource display name.
119
+ - resourceId: Resource identifier.
120
+
121
+ Risk Information:
122
+ - riskDetail: Reason behind the risk state.
123
+ - riskLevelAggregated: Aggregated risk level.
124
+ - riskLevelDuringSignIn: Risk level during sign-in.
125
+ - riskState: Risk state.
126
+
127
+ Sign-In Status Details:
128
+ - status.additionalDetails: Additional status details.
129
+ - status.errorCode: Error code.
130
+ - status.failureReason: Failure reason.
131
+
132
+ User Information:
133
+ - userDisplayName: User display name.
134
+ - userId: User identifier.
135
+ - userPrincipalName: User principal name.
136
+
137
+ Splunk Fields:
138
+ - timestartpos: Byte position where the timestamp starts.
139
+ - timeendpos: Byte position where the timestamp ends.
140
+
141
+ Audit Logs:
142
+
143
+ General Information:
144
+ - sourcetype: Audit
145
+ - host: Host name.
146
+ - id: Unique activity identifier.
147
+ - category: Category value.
148
+ - loggedByService: Service that logged the event.
149
+
150
+ Activity Information:
151
+ - activityDateTime: Date and time the activity occurred.
152
+ - activityDisplayName: Human-readable name for the activity.
153
+ - Level: Message type.
154
+
155
+ Actor Information:
156
+ - Actor: Name of the actor performing the operation.
157
+ - initiatedBy: Details of the initiator (app or user).
158
+
159
+ Operation Information:
160
+ - Command: Description of the operation performed.
161
+ - operationType: Type of operation.
162
+ - result: Result of the activity.
163
+ - ResultStatus: Result status.
164
+ - resultReason: Cause of failure or timeout results.
165
+
166
+ Target Information:
167
+ - Target_DisplayName: Activity or operation name.
168
+ - Target_ObjectID: Unique identifier for the target object.
169
+ - Target_userPrincipalName: UPN of the target user.
170
+ - targetResources: Details about the target resources.
171
+
172
+ Additional Details:
173
+ - additionalDetails: Key-value pairs of additional details.
174
+
175
+ New and Old Values:
176
+ - newValue: Value after the operation.
177
+ - oldValue: Value before the operation.
178
+ - modified_values: Difference between new and old value.
179
+
180
+ Splunk-Specific Information:
181
+ - timeendpos: Byte position where the timestamp ends.
182
+ - timestartpos: Byte position where the timestamp starts.
183
+ - value: Logged value.
184
+ - _bkt: Bucket ID in Splunk.
185
+ - _cd: Splunk internal ID.
186
+ - _indextime: Epoch time when the log was indexed.
187
+ - _serial: Serial number for the log entry.
188
+ - _si: Splunk indexer information.
189
+ - _sourcetype: Splunk sourcetype.
190
+ - _subsecond: Subsecond part of the timestamp.
191
+ - _time: Time the log was generated."""
192
+ elif log_type == "palo-alto":
193
+ description += """ the columns from Palo-alto logs with their descriptions:
194
+ - Receive Time: {Receive Time}
195
+ - Serial Number: {Serial Number}
196
+ - Type: SYSTEM
197
+ - Subtype: {Subtype}
198
+ - Generated Time: {Generated Time}
199
+ - Virtual System: {Virtual System}
200
+ - Event ID: {Event ID}
201
+ - Module: {Module} (only if Subtype is general)
202
+ - Severity: {Severity}
203
+ - Description: {Description}
204
+ - Sequence Number: {Sequence Number}
205
+ - Action Flags: {Action Flags}
206
+ - Device Group Hierarchy Levels: {Device Group Hierarchy Levels}
207
+ - Virtual System Name: {Virtual System Name}
208
+ - Device Name: {Device Name}
209
+ - Receive Time: {Receive Time}
210
+ - Serial Number: {Serial Number}
211
+ - Type: USERID
212
+ - Subtype: {Subtype} (login, logout, register-tag, unregister-tag)
213
+ - Generated Time: {Generated Time}
214
+ - Virtual System: {Virtual System}
215
+ - Command: {Command}
216
+ - User: {User}
217
+ - Source IP: {Source IP}
218
+ - Data Source Name: {Data Source Name}
219
+ - Event ID: {Event ID}
220
+ - Repeat Count: {Repeat Count}
221
+ - Timeout: {Timeout}
222
+ - Source Port: {Source Port}
223
+ - Destination Port: {Destination Port}
224
+ - Sequence Number: {Sequence Number}
225
+ - Action Flags: {Action Flags}
226
+ - Device Group Hierarchy Levels: {Device Group Hierarchy Levels}
227
+ - Virtual System Name: {Virtual System Name}
228
+ - Device Name: {Device Name}
229
+ - Virtual System ID: {Virtual System ID}
230
+ - sourcetype: {sourcetype}
231
+ - _raw: {raw log data}
232
+ - action: {action}
233
+ - action_flags: {action_flags}
234
+ - action_source: {action_source}
235
+ - app: {app}
236
+ - bytes: {bytes}
237
+ - bytes_in: {bytes_in}
238
+ - bytes_out: {bytes_out}
239
+ - client_ip: {client_ip}
240
+ - dest_ip: {dest_ip}
241
+ - dest_port: {dest_port}
242
+ - dest_translated_ip: {dest_translated_ip}
243
+ - dest_translated_port: {dest_translated_port}
244
+ - dest_zone: {dest_zone}
245
+ - duration: {duration}
246
+ - protocol: {protocol}
247
+ - receive_time: {receive_time}
248
+ - rule: {rule}
249
+ - sequence_number: {sequence_number}
250
+ - src_ip: {src_ip}
251
+ - src_port: {src_port}
252
+ - src_translated_ip: {src_translated_ip}
253
+ - src_translated_port: {src_translated_port}
254
+ - src_zone: {src_zone}
255
+ - start_time: {start_time}
256
+ - Receive Time: {Receive Time}
257
+ - Serial Number: {Serial Number}
258
+ - Threat/Content Type: {Threat/Content Type}
259
+ - Generate Time: {Generate Time}
260
+ - Source Address: {Source Address}
261
+ - Destination Address: {Destination Address}
262
+ - NAT Source IP: {NAT Source IP}
263
+ - NAT Destination IP: {NAT Destination IP}
264
+ - Rule Name: {Rule Name}
265
+ - Source User: {Source User}
266
+ - Destination User: {Destination User}
267
+ - Application: {Application}
268
+ - Virtual System: {Virtual System}
269
+ - Source Zone: {Source Zone}
270
+ - Destination Zone: {Destination Zone}
271
+ - Inbound Interface: {Inbound Interface}
272
+ - Outbound Interface: {Outbound Interface}
273
+ - Log Action: {Log Action}
274
+ - Session ID: {Session ID}
275
+ - Repeat Count: {Repeat Count}
276
+ - Source Port: {Source Port}
277
+ - Destination Port: {Destination Port}
278
+ - NAT Source Port: {NAT Source Port}
279
+ - NAT Destination Port: {NAT Destination Port}
280
+ - Flags: {Flags}
281
+ - IP Protocol: {IP Protocol}
282
+ - Action: {Action}
283
+ - URL/Filename: {URL/Filename}
284
+ - Threat/Content Name: {Threat/Content Name}
285
+ - Category: {Category}
286
+ - Severity: {Severity}
287
+ - Direction: {Direction}
288
+ - Sequence Number: {Sequence Number}
289
+ - Action Flags: {Action Flags}
290
+ - Source Country: {Source Country}
291
+ - Destination Country: {Destination Country}
292
+ - Content Type: {Content Type}
293
+ - PCAP ID: {PCAP ID}
294
+ - File Digest: {File Digest}
295
+ - Cloud: {Cloud}
296
+ - URL Index: {URL Index}
297
+ - User Agent: {User Agent}
298
+ - File Type: {File Type}
299
+ - X-Forwarded-For: {X-Forwarded-For}
300
+ - Referer: {Referer}
301
+ - Sender: {Sender}
302
+ - Subject: {Subject}
303
+ - Recipient: {Recipient}
304
+ - Report ID: {Report ID}
305
+ - Device Group Hierarchy: {Device Group Hierarchy}
306
+ - Virtual System Name: {Virtual System Name}
307
+ - Device Name: {Device Name}
308
+ - Source VM UUID: {Source VM UUID}
309
+ - Destination VM UUID: {Destination VM UUID}
310
+ - HTTP Method: {HTTP Method}
311
+ - Tunnel ID/IMSI: {Tunnel ID/IMSI}
312
+ - Monitor Tag/IMEI: {Monitor Tag/IMEI}
313
+ - Parent Session ID: {Parent Session ID}
314
+ - Parent Session Start Time: {Parent Session Start Time}
315
+ - Tunnel Type: {Tunnel Type}
316
+ - Threat Category: {Threat Category}
317
+ - Content Version: {Content Version}
318
+ - SCTP Association ID: {SCTP Association ID}
319
+ - Payload Protocol ID: {Payload Protocol ID}
320
+ - HTTP Headers: {HTTP Headers}
321
+ - URL Category List: {URL Category List}
322
+ - Rule UUID: {Rule UUID}
323
+ - HTTP/2 Connection: {HTTP/2 Connection}
324
+ - Dynamic User Group Name: {Dynamic User Group Name}
325
+ - XFF Address: {XFF Address}
326
+ - Source Device Category: {Source Device Category}
327
+ - Source Device Profile: {Source Device Profile}
328
+ - Source Device Model: {Source Device Model}
329
+ - Source Device Vendor: {Source Device Vendor}
330
+ - Source Device OS Family: {Source Device OS Family}
331
+ - Source Device OS Version: {Source Device OS Version}
332
+ - Source Hostname: {Source Hostname}
333
+ - Source MAC Address: {Source MAC Address}
334
+ - Destination Device Category: {Destination Device Category}
335
+ - Destination Device Profile: {Destination Device Profile}
336
+ """
337
+
338
+ elif log_type == "office365":
339
+ description += """ the columns from Microsoft 365 logs with their descriptions:
340
+
341
+ Sourcetype: The type or category of the log source, indicating the origin or format of the log data.
342
+
343
+ _raw: The raw log message as received by the logging system, containing the complete unprocessed log entry.
344
+
345
+ ChatThreadId: The unique identifier of a chat thread, used to group messages within the same conversation.
346
+
347
+ CommunicationType: The type of communication, such as chat, call, or meeting.
348
+
349
+ CreationTime: The timestamp when the log entry or event was created.
350
+
351
+ Id: A unique identifier for the log entry or event.
352
+
353
+ ItemName: The name of the item involved in the event, such as a message or file.
354
+
355
+ MessageId: The unique identifier of a specific message.
356
+
357
+ MessageVersion: The version of the message, indicating updates or edits.
358
+
359
+ MessageVisibilityTime: The time when the message became visible to users.
360
+
361
+ Operation: The specific operation or action that was performed (e.g., send, delete).
362
+
363
+ OrganizationId: The unique identifier of the organization to which the event is related.
364
+
365
+ ParticipantInfo.HasForeignTenantUsers: Indicates if the chat or communication includes users from foreign tenants.
366
+
367
+ ParticipantInfo.HasGuestUsers: Indicates if the chat includes guest users.
368
+
369
+ ParticipantInfo.HasOtherGuestUsers: Indicates if there are other guest users involved.
370
+
371
+ ParticipantInfo.HasUnauthenticatedUsers: Indicates if there are unauthenticated users participating.
372
+
373
+ ParticipantInfo.ParticipatingTenantIds{}: The IDs of tenants participating in the communication.
374
+
375
+ RecordType: The type of record, often indicating the category of the log (e.g., message, call).
376
+
377
+ ResourceTenantId: The tenant ID associated with the resource being accessed or modified.
378
+
379
+ UserId: The unique identifier of the user involved in the event.
380
+
381
+ UserKey: A key associated with the user, often used for authentication or identification.
382
+
383
+ UserType: The type of user (e.g., member, guest).
384
+
385
+ Version: The version of the log schema or format.
386
+
387
+ Workload: The specific Microsoft service or workload related to the event (e.g., Teams, Exchange).
388
+
389
+ App: The application involved in the event.
390
+
391
+ Authentication_service: The authentication service used for the event.
392
+
393
+ Command: The specific command executed as part of the event.
394
+
395
+ Dest: The destination involved in the event.
396
+
397
+ Dest_name: The name of the destination.
398
+
399
+ Dvc: Device information related to the event.
400
+
401
+ Host: The host or server where the event occurred.
402
+
403
+ Record_type: Another field indicating the type of record.
404
+
405
+ Result: The outcome or result of the operation (e.g., success, failure).
406
+
407
+ Signature: A signature related to the event, often for verification purposes.
408
+
409
+ Status: The status of the event or operation (e.g., completed, pending).
410
+
411
+ Tenant_id: The unique identifier of the tenant where the event occurred.
412
+
413
+ Timeendpos: The end time position of the event.
414
+
415
+ Timestartpos: The start time position of the event.
416
+
417
+ User: General information about the user involved in the event.
418
+
419
+ User_id: The unique identifier of the user.
420
+
421
+ User_type: The type of user (similar to UserType).
422
+
423
+ Vendor_account: The account associated with the vendor.
424
+
425
+ Vendor_product: The product associated with the vendor.
426
+
427
+ _bkt: The bucket where the log data is stored.
428
+
429
+ _cd: The cluster ID in a distributed system.
430
+
431
+ _indextime: The time when the log entry was indexed.
432
+
433
+ _serial: A serial number or sequence identifier for the log entry.
434
+
435
+ _si: An array containing additional internal identifiers."""
436
+
437
+ return list(set(description))
format_input.py ADDED
@@ -0,0 +1,259 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ import re
2
+ import sys
3
+ import os
4
+
5
+ # Add the project root to sys.path
6
+ sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
7
+
8
+ from location.IP_Checker import get_all_details
9
+
10
+ def append_severity_definition(log_text):
11
+ severity_definitions = {
12
+ "Information": "The event provides useful context but is not critical.",
13
+ "Notice": "Signifies noteworthy event that do not require immediate action.",
14
+ "Warning": "Indicates potential issue that should be addressed and should be investigated before escalation.",
15
+ "Error": "Indicates a problem that needs to be resolved and impacts system functionality but doesn't cause immediate service disruption.",
16
+ "Critical": "Indicates a severe issue that causes significant loss of service and requires immediate attention.",
17
+ }
18
+
19
+ match = re.search(r"Severity:\s*(\S+)", log_text)
20
+ if match:
21
+ severity = match.group(1)
22
+ definition = severity_definitions.get(severity)
23
+ if definition:
24
+ log_text = re.sub(
25
+ r"(Severity:\s*" + re.escape(severity) + r")\n",
26
+ r"\1\n - Severity Definition: " + definition + "\n",
27
+ log_text,
28
+ )
29
+ return log_text
30
+
31
+
32
+ def format_sophos_row(row):
33
+ def get_value(key, default="Unknown"):
34
+ return row.get(key, default)
35
+
36
+ return f"""
37
+ - Device Information
38
+ - Device Name: {get_value("device_name")}
39
+ - Device Model: {get_value("device_model")}
40
+ - Device Serial ID: {get_value("device_serial_id")}
41
+
42
+ - Connection Details
43
+ - Source IP: {get_value("src_ip")}
44
+ - Source Country: {get_value("src_country", "Unknown") if get_value("src_country") != 'R1' else "Unknown"}
45
+ - Destination IP: {get_value("dst_ip")}
46
+ - Destination Country: {get_value("dst_country", "Unknown") if get_value("dst_country") != 'R1' else "Unknown"}
47
+ - Protocol: {get_value("protocol")}
48
+ - Source Port: {get_value("src_port")}
49
+ - Destination Port: {get_value("dst_port")}
50
+ - Timestamp: {get_value("timestamp")}
51
+
52
+ - Log Information
53
+ - Log Type: {get_value("log_type")}
54
+ - Log Component: {get_value("log_component")}
55
+ - Log Subtype: {get_value("log_subtype")}
56
+ - Severity: {get_value("severity")}
57
+
58
+ - Additional Information
59
+ - Heartbeat Status: {get_value("hb_status")}
60
+ - Application Resolved By: {get_value("app_resolved_by")}
61
+ - Application Is Cloud: {get_value("app_is_cloud")}
62
+ """
63
+
64
+
65
+ def format_azure_sign_in_logs(data_row):
66
+ def get_value(key, default="Unknown"):
67
+ return data_row.get(key, default)
68
+
69
+ device_detail = (
70
+ f"\n- Device Detail:"
71
+ f"\n Device ID: {get_value('deviceDetail_deviceId')}"
72
+ f"\n Display Name: {get_value('deviceDetail_displayName')}"
73
+ f"\n Operating System: {get_value('deviceDetail_operatingSystem')}"
74
+ f"\n Browser: {get_value('deviceDetail_browser')}"
75
+ f"\n Compliance: {get_value('deviceDetail_isCompliant')}"
76
+ f"\n Managed: {get_value('deviceDetail_isManaged')}"
77
+ f"\n Trust Type: {get_value('deviceDetail_trustType')}"
78
+ )
79
+
80
+ location = (
81
+ f"\n- Location:"
82
+ f"\n City: {get_value('location_city')}"
83
+ f"\n State: {get_value('location_state')}"
84
+ f"\n Country/Region: {get_value('location_countryOrRegion')}"
85
+ f"\n Latitude: {get_value('location_geoCoordinates_latitude')}"
86
+ f"\n Longitude: {get_value('location_geoCoordinates_longitude')}"
87
+ )
88
+
89
+ return (
90
+ f"Created Date: {get_value('createdDateTime')}\n"
91
+ f"User: {get_value('userDisplayName')}\n"
92
+ f"User Principal Name: {get_value('userPrincipalName')}\n"
93
+ f"User ID: {get_value('userId')}\n"
94
+ f"Application ID: {get_value('appId')}\n"
95
+ f"Application Display Name: {get_value('appDisplayName')}\n"
96
+ f"IP Address: {get_value('ipAddress')}\n"
97
+ f"More information about Location:{get_all_details({get_value('ipAddress')})}"
98
+ f"Client App Used: {get_value('clientAppUsed')}\n"
99
+ f"Conditional Access Status: {get_value('conditionalAccessStatus')}\n"
100
+ f"{device_detail}\n"
101
+ f"{location}\n"
102
+ f"- Status: {get_value('status_additionalDetails')}\n"
103
+ )
104
+
105
+
106
+ def format_palo_alto_logs(data_row):
107
+ def get_value(key, default="Unknown"):
108
+ return data_row.get(key, default)
109
+
110
+ core_identifiers = (
111
+ f"Source: {get_value('src')}\n"
112
+ f"Destination: {get_value('dest')}\n"
113
+ f"Source IP: {get_value('src_ip')}\n"
114
+ f"Destination IP: {get_value('dest_ip')}\n"
115
+ f"Source Port: {get_value('src_port')}\n"
116
+ f"Destination Port: {get_value('dest_port')}\n"
117
+ f"Protocol: {get_value('protocol')}\n"
118
+ )
119
+
120
+ traffic_volume = (
121
+ f"Bytes: {get_value('bytes')}\n"
122
+ f"Bytes In: {get_value('bytes_in')}\n"
123
+ f"Bytes Out: {get_value('bytes_out')}\n"
124
+ f"Packets: {get_value('packets')}\n"
125
+ f"Packets In: {get_value('packets_in')}\n"
126
+ f"Packets Out: {get_value('packets_out')}\n"
127
+ )
128
+
129
+ temporal_info = (
130
+ f"Start Time: {get_value('start_time')}\n"
131
+ f"Date: {get_value('date_year')}-{get_value('date_month')}-{get_value('date_mday')} "
132
+ f"{get_value('date_hour')}:{get_value('date_minute')}:{get_value('date_second')}\n"
133
+ f"Duration: {get_value('duration')}\n"
134
+ )
135
+
136
+ network_device_info = (
137
+ f"Source Zone: {get_value('src_zone')}\n"
138
+ f"Destination Zone: {get_value('dest_zone')}\n"
139
+ f"Source Interface: {get_value('src_interface')}\n"
140
+ f"Destination Interface: {get_value('dest_interface')}\n"
141
+ f"Device ID: {get_value('dvc')}\n"
142
+ f"Device Name: {get_value('dvc_name')}\n"
143
+ )
144
+
145
+ app_user_info = (
146
+ f"Application: {get_value('application')}\n"
147
+ f"User: {get_value('user')}\n"
148
+ f"User Agent: {get_value('user_agent')}\n"
149
+ )
150
+
151
+ security_info = (
152
+ f"Action: {get_value('action')}\n"
153
+ f"Severity: {get_value('severity')}\n"
154
+ f"Threat: {get_value('threat')}\n"
155
+ f"Threat Category: {get_value('threat_category')}\n"
156
+ f"Signature: {get_value('signature')}\n"
157
+ f"Signature ID: {get_value('signature_id')}\n"
158
+ )
159
+
160
+ return (
161
+ f"{core_identifiers}\n"
162
+ f"{traffic_volume}\n"
163
+ f"{temporal_info}\n"
164
+ f"{network_device_info}\n"
165
+ f"{app_user_info}\n"
166
+ f"{security_info}\n"
167
+ )
168
+
169
+ def format_office365_logs(data_row):
170
+ def get_value(key, default="Unknown"):
171
+ return data_row.get(key, default)
172
+
173
+ actor_info = (
174
+ f"- Actor Information:\n"
175
+ f" - User ID: {get_value('UserId')}\n"
176
+ f" - User Key: {get_value('UserKey')}\n"
177
+ f" - User Type: {get_value('UserType')}\n"
178
+ f" - User Principal Name: {get_value('UserPrincipalName')}\n"
179
+ f" - Actor IP Address: {get_value('ActorIpAddress')}\n"
180
+ )
181
+
182
+ device_info = (
183
+ f"- Device Information:\n"
184
+ f" - Client IP: {get_value('ClientIP')}\n"
185
+ f" - Client App ID: {get_value('ClientAppId')}\n"
186
+ f" - Client App Name: {get_value('AppAccessContext.ClientAppName')}\n"
187
+ f" - Device ID: {get_value('DeviceId')}\n"
188
+ f" - Device Name: {get_value('DeviceName')}\n"
189
+ f" - Device Operating System: {get_value('DeviceOperatingSystem')}\n"
190
+ )
191
+
192
+ operation_info = (
193
+ f"- Operation Information:\n"
194
+ f" - Operation: {get_value('Operation')}\n"
195
+ f" - Operation Properties: {get_value('OperationProperties')}\n"
196
+ f" - Object ID: {get_value('ObjectId')}\n"
197
+ f" - Object Type: {get_value('ObjectType')}\n"
198
+ f" - Object Name: {get_value('ObjectName')}\n"
199
+ )
200
+
201
+ policy_info = (
202
+ f"- Policy Information:\n"
203
+ f" - Policy Details: {get_value('PolicyDetails')}\n"
204
+ f" - Policy Identifier: {get_value('PolicyIdentifierString')}\n"
205
+ f" - Policy Last Updated Time: {get_value('PolicyLastUpdatedTime')}\n"
206
+ )
207
+
208
+ event_info = (
209
+ f"- Event Information:\n"
210
+ f" - Creation Time: {get_value('CreationTime')}\n"
211
+ f" - Result Status: {get_value('ResultStatus')}\n"
212
+ f" - Record Type: {get_value('RecordType')}\n"
213
+ f" - Request ID: {get_value('RequestId')}\n"
214
+ f" - Organization ID: {get_value('OrganizationId')}\n"
215
+ f" - Organization Name: {get_value('OrganizationName')}\n"
216
+ f" - Tenant ID: {get_value('TenantId')}\n"
217
+ )
218
+
219
+ additional_info = (
220
+ f"- Additional Information:\n"
221
+ f" - App Display Name: {get_value('ApplicationDisplayName')}\n"
222
+ f" - User Agent: {get_value('UserAgent')}\n"
223
+ f" - Session ID: {get_value('SessionId')}\n"
224
+ )
225
+
226
+ return (
227
+ f"{actor_info}\n"
228
+ f"{device_info}\n"
229
+ f"{operation_info}\n"
230
+ f"{policy_info}\n"
231
+ f"{event_info}\n"
232
+ f"{additional_info}\n"
233
+ )
234
+
235
+
236
+ def flatten_json(json_data, parent_key="", separator="_"):
237
+ def _flatten(obj, parent_key=""):
238
+ items = {}
239
+ for k, v in obj.items():
240
+ new_key = f"{parent_key}{separator}{k}" if parent_key else k
241
+ if isinstance(v, dict):
242
+ items.update(_flatten(v, new_key))
243
+ else:
244
+ items[new_key] = v
245
+ return items
246
+
247
+ return _flatten(json_data, parent_key)
248
+
249
+ def detect_log_type(log_data):
250
+ if "device_name" in log_data and "src_ip" in log_data and "dst_ip" in log_data:
251
+ return "sophos"
252
+ elif "userPrincipalName" in log_data and "ipAddress" in log_data:
253
+ return "azure-sign-in"
254
+ elif "src" in log_data and "dest" in log_data and "severity" in log_data:
255
+ return "palo-alto"
256
+ elif "UserId" in log_data and "ClientIP" in log_data and "Operation" in log_data:
257
+ return "office365"
258
+ else:
259
+ return "Unknown"
testing_input.py ADDED
@@ -0,0 +1,34 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ # Example log input
2
+ log_input = """
3
+ user total_count_by_user ClientIP count cyences_severity Country Region City Last_Failed_Login user_type authentication_method LogonError failureReason additionalDetails appDisplayName clientAppUsed conditionalAccessStatus isInteractive ExtendedProperties ApplicationId
4
+ [email protected] 58 2601:249:8e80:bf40:f0e5:db8:d44d:fe35 1 info United States Illinois Chicago 2023-07-24 14:06:19 PDT Regular Password UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 UserAuthenticationMethod : 1 00000006-0000-0ff1-ce00-000000000000
5
+ [email protected] 55 162.204.225.100 53 info United States Illinois Highland Park 2023-09-19 13:10:10 PDT Regular Password InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login RequestType : Login:reprocess RequestType : OAuth2:Authorize RequestType : OAuth2:Token RequestType : SAS:BeginAuth RequestType : SAS:EndAuth ResultStatusDetail : Success ResultStatusDetail : UserError UserAgent : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E) UserAgent : Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19044 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19044 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22621 UserAgent : Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 UserAgent : Windows-AzureAD-Authentication-Provider/1.0 UserAuthenticationMethod : 1 1fec8e78-bce4-4aaf-ab1b-5451cc387264 29d9ed98-a469-4536-ade2-f981bc1d605e 386ce8c0-7421-48c9-a1df-2a532400339f 38aa3b87-a06d-4817-b275-7a316988d93b 4765445b-32c6-49b0-83e6-1d93765276ca 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 6204c1d1-4712-4c46-a7d9-3ed63d992682 7f67af8a-fedc-4b08-8b4e-37c4d127b6cf 81feaced-5ddd-41e7-8bef-3e20a2689bb7 871c010f-5e61-4fb1-83ac-98610a7e9110 8c59ead7-d703-4a27-9e55-c96a0054c8d2 c44b4083-3bb0-49c1-b47d-974e53cbdf3c dd762716-544d-4aeb-a526-687b73838a22 de50c81f-5f80-4771-b66b-cebd28ccdfc1
6
+ [email protected] 55 20.80.3.238 2 info United States Illinois Chicago 2023-08-30 08:16:06 PDT Regular Password UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0) UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 UserAuthenticationMethod : 1 00000002-0000-0ff1-ce00-000000000000 386ce8c0-7421-48c9-a1df-2a532400339f
7
+ [email protected] 48 38.100.101.129 12 info United States Illinois Chicago 2023-09-19 09:57:01 PDT Regular Password FlowTokenExpired InvalidUserNameOrPassword PasswordResetRegistrationRequiredInterrupt UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login RequestType : Login:reprocess RequestType : SAS:BeginAuth RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.62 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.81 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.31 UserAuthenticationMethod : 1 00000002-0000-0ff1-ce00-000000000000 4765445b-32c6-49b0-83e6-1d93765276ca c44b4083-3bb0-49c1-b47d-974e53cbdf3c
8
+ [email protected] 48 92.253.31.66 8 info Jordan Amman Governorate Amman 2023-07-31 11:43:53 PDT Regular Password FlowTokenExpired InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login RequestType : Login:reprocess RequestType : SAS:BeginAuth RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAuthenticationMethod : 1 4765445b-32c6-49b0-83e6-1d93765276ca c44b4083-3bb0-49c1-b47d-974e53cbdf3c
9
+ [email protected] 48 176.28.251.92 3 info Jordan Amman Governorate Amman 2023-09-12 06:07:40 PDT Regular Password UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login RequestType : SAS:BeginAuth RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E) UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76 UserAuthenticationMethod : 1 1b730954-1685-4b74-9bfd-dac224a7b894 4765445b-32c6-49b0-83e6-1d93765276ca
10
+ [email protected] 48 176.29.167.129 3 info Jordan Amman Governorate Amman 2023-09-13 02:18:06 PDT Regular Password InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E) UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76 UserAuthenticationMethod : 1 497effe9-df71-4043-a8bb-14cf78c4b63b fb78d390-0c51-40cd-8e17-fdbfab77341b
11
+ [email protected] 48 2a01:9700:1171:d000:250c:d479:a88:5c36 3 info Jordan Amman Governorate Amman 2023-07-31 04:47:04 PDT Regular Password InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAuthenticationMethod : 1 c44b4083-3bb0-49c1-b47d-974e53cbdf3c
12
+ [email protected] 48 2a01:9700:1171:d000:29d7:9fc3:5711:b610 3 info Jordan Amman Governorate Amman 2023-07-31 13:38:06 PDT Regular Password FlowTokenExpired InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAuthenticationMethod : 1 c44b4083-3bb0-49c1-b47d-974e53cbdf3c
13
+ [email protected] 48 2a01:9700:1171:d000:581c:4679:86cd:4530 3 info Jordan Amman Governorate Amman 2023-07-31 14:15:30 PDT Regular Password InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAuthenticationMethod : 1 c44b4083-3bb0-49c1-b47d-974e53cbdf3c
14
+ [email protected] 48 46.185.168.168 3 info Jordan Amman Governorate Amman 2023-09-01 04:41:07 PDT Regular Password PasswordResetRegistrationRequiredInterrupt UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login RequestType : Login:reprocess RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E) UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.62 UserAuthenticationMethod : 1 1b730954-1685-4b74-9bfd-dac224a7b894 c44b4083-3bb0-49c1-b47d-974e53cbdf3c
15
+ [email protected] 48 92.253.31.230 3 info Jordan Amman Governorate Amman 2023-09-14 10:06:28 PDT Regular Password InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login RequestType : SAS:BeginAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.81 UserAuthenticationMethod : 1 c44b4083-3bb0-49c1-b47d-974e53cbdf3c
16
+ [email protected] 48 86.108.19.83 2 info Jordan Amman Governorate Amman 2023-09-25 04:11:48 PDT Regular Password InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login RequestType : SAS:BeginAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.41 UserAuthenticationMethod : 1 c44b4083-3bb0-49c1-b47d-974e53cbdf3c
17
+ [email protected] 48 2a01:9700:1171:d000:28db:e128:dfb8:a499 1 info Jordan Amman Governorate Amman 2023-07-31 14:32:31 PDT Regular Password UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAuthenticationMethod : 1 c44b4083-3bb0-49c1-b47d-974e53cbdf3c
18
+ [email protected] 48 2a01:9700:1171:d000:8829:825f:40d1:314a 1 info Jordan Amman Governorate Amman 2023-07-31 11:15:05 PDT Regular Password UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login RequestType : SAS:BeginAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAuthenticationMethod : 1 c44b4083-3bb0-49c1-b47d-974e53cbdf3c
19
+ [email protected] 48 2a01:9700:1171:d000:a905:7f34:b0a0:5902 1 info Jordan Amman Governorate Amman 2023-07-31 04:02:21 PDT Regular Password UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login RequestType : SAS:BeginAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAuthenticationMethod : 1 c44b4083-3bb0-49c1-b47d-974e53cbdf3c
20
+ [email protected] 48 2a01:9700:1171:d000:a966:d9c7:927b:7206 1 info Jordan Amman Governorate Amman 2023-07-31 05:02:19 PDT Regular Password InvalidUserNameOrPassword RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAuthenticationMethod : 1 c44b4083-3bb0-49c1-b47d-974e53cbdf3c
21
+ [email protected] 48 2a01:9700:1171:d000:aca3:934a:6a67:bf20 1 info Jordan Amman Governorate Amman 2023-07-31 14:51:06 PDT Regular Password UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAuthenticationMethod : 1 c44b4083-3bb0-49c1-b47d-974e53cbdf3c
22
+ [email protected] 42 5.46.192.89 12 info Türkiye Istanbul Istanbul 2023-07-31 00:30:54 PDT Regular Password AuthenticationFailedSasError BlockedByConditionalAccess FlowTokenExpired InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login RequestType : SAS:BeginAuth RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 UserAgent : Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) PKeyAuth/1.0 UserAuthenticationMethod : 1 1fec8e78-bce4-4aaf-ab1b-5451cc387264 27922004-5251-4030-b22d-91ecd9a37ea4
23
+ [email protected] 42 159.146.45.29 11 info Türkiye Istanbul Istanbul 2023-09-18 04:45:47 PDT Regular Password AdminConsentRequiredRequestAccess InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login RequestType : Login:reprocess RequestType : OAuth2:Authorize RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.62 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22621 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22621 UserAgent : Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1 UserAuthenticationMethod : 1 00000003-0000-0ff1-ce00-000000000000 0000000c-0000-0000-c000-000000000000 1fec8e78-bce4-4aaf-ab1b-5451cc387264 29d9ed98-a469-4536-ade2-f981bc1d605e 4765445b-32c6-49b0-83e6-1d93765276ca
24
+ [email protected] 42 159.146.14.253 5 info Türkiye Istanbul Istanbul 2023-08-14 02:29:10 PDT Regular Password InvalidUserNameOrPassword RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 UserAuthenticationMethod : 1 00000002-0000-0ff1-ce00-000000000000
25
+ [email protected] 42 159.146.18.252 4 info Türkiye Istanbul Istanbul 2023-09-21 22:54:07 PDT Regular Password InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 UserAgent : Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1 UserAuthenticationMethod : 1 00000002-0000-0ff1-ce00-000000000000 18fbca16-2224-45f6-85b0-f7bf2b39b3f3
26
+ [email protected] 42 159.146.45.117 4 info Türkiye Istanbul Istanbul 2023-09-06 01:17:23 PDT Regular Password InvalidUserNameOrPassword RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22621 UserAuthenticationMethod : 1 29d9ed98-a469-4536-ade2-f981bc1d605e
27
+ [email protected] 42 5.46.251.148 3 info Türkiye Istanbul Istanbul 2023-09-22 13:30:35 PDT Regular Password UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1 UserAuthenticationMethod : 1 00000003-0000-0ff1-ce00-000000000000
28
+ [email protected] 42 159.146.14.116 1 info Türkiye Istanbul Istanbul 2023-08-20 23:39:56 PDT Regular Password UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1 UserAuthenticationMethod : 1 00000003-0000-0ff1-ce00-000000000000
29
+ [email protected] 42 159.146.14.128 1 info Türkiye Istanbul Istanbul 2023-08-15 07:56:14 PDT Regular Password UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1 UserAuthenticationMethod : 1 00000003-0000-0ff1-ce00-000000000000
30
+ [email protected] 42 159.146.18.85 1 info Türkiye Istanbul Istanbul 2023-08-18 08:59:58 PDT Regular Password UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1 UserAuthenticationMethod : 1 00000003-0000-0ff1-ce00-000000000000
31
+ [email protected] 40 79.173.219.190 12 info Jordan Amman Governorate Amman 2023-07-27 23:12:59 PDT Regular Password FlowTokenExpired UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login RequestType : SAS:BeginAuth RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.183 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22621 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22621 UserAuthenticationMethod : 1 00000002-0000-0ff1-ce00-000000000000 1fec8e78-bce4-4aaf-ab1b-5451cc387264 29d9ed98-a469-4536-ade2-f981bc1d605e d3590ed6-52b3-4102-aeff-aad2292ab01c
32
+ [email protected] 40 92.253.31.230 9 info Jordan Amman Governorate Amman 2023-09-14 10:32:22 PDT Regular Password InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.81 UserAuthenticationMethod : 1 00000002-0000-0ff1-ce00-000000000000
33
+ [email protected] 40 94.249.108.201 6 info Jordan Amman Governorate Amman 2023-08-28 06:00:20 PDT Regular Password FlowTokenExpired InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt RequestType : Login:login RequestType : OAuth2:Authorize RequestType : SAS:BeginAuth RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Linux; Android 10; MAR-LX1M Build/HUAWEIMAR-L21MEA; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/115.0.5790.166 Mobile Safari/537.36 PKeyAuth/1.0 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22621 UserAuthenticationMethod : 1 1fec8e78-bce4-4aaf-ab1b-5451cc387264 d3590ed6-52b3-4102-aeff-aad2292ab01c dd762716-544d-4aeb-a526-687b73838a22
34
+ """