Upload 3 files

descriptions.py

@@ -0,0 +1,437 @@
+from api.format_input import (
+    detect_log_type,
+)
+def detecting_types(chaine):
+    types = []
+    lignes = chaine.splitlines()
+    for l in lignes:
+        types.append(detect_log_type(l))
+    print ('available types!')
+    print ('TYPES!!! ',types)
+    return types
+
+# log_type = detect_log_type(log_input)
+def descriptions (log_input):
+    for log_type in detecting_types(log_input):
+        if log_type == "sophos":
+            description += """ the columns from Sophos logs with their descriptions:
+        sourcetype: The type of source that generated the log entry.
+        _raw: The raw log message as received.
+        action: The action taken by the firewall.
+        app: The application associated with the session.
+        app_category: Category of the application.
+        app_is_cloud: Indicates if the application is cloud-based.
+        app_name: Name of the application.
+        app_resolved_by: Method by which the application was identified.
+        app_risk: Risk level of the application.
+        app_technology: Technology type of the application.
+        bytes: Total number of bytes transferred.
+        bytes_in: Number of bytes received.
+        bytes_out: Number of bytes sent.
+        con_id: Connection ID.
+        dest: Destination IP address.
+        dest_mac: Destination MAC address.
+        dest_port: Destination port.
+        dest_zone: Destination zone.
+        device_model: Model of the device.
+        device_name: Name of the device.
+        device_serial_id: Serial ID of the device.
+        dst_country: Destination country.
+        duration: Duration of the session.
+        dvc: Device name.
+        ether_type: Ethernet type.
+        fw_rule_id: Firewall rule ID.
+        fw_rule_type: Type of firewall rule.
+        hb_status: Heartbeat status.
+        host: Host IP address.
+        in_display_interface: Display interface name.
+        in_interface: Ingress interface.
+        log_component: Log component.
+        log_id: Log ID.
+        log_occurrence: Number of occurrences of the log entry.
+        log_subtype: Subtype of the log.
+        log_type: Type of log.
+        log_version: Version of the log format.
+        nat_rule_id: NAT rule ID.
+        packets: Total number of packets transferred.
+        packets_in: Number of packets received.
+        packets_out: Number of packets sent.
+        protocol: Protocol used in the session.
+        qualifier: Qualifier for the log entry.
+        severity: Severity level of the event.
+        src: Source IP address.
+        src_country: Source country.
+        src_interface: Source interface.
+        src_mac: Source MAC address.
+        src_port: Source port.
+        src_zone: Source zone.
+        timeendpos: End position of the timestamp in the raw log.
+        timestamp: Timestamp of the event.
+        timestartpos: Start position of the timestamp in the raw log.
+        transport: Transport protocol used.
+        _bkt: Bucket name where the event is stored in Splunk.
+        _cd: Composite ID of the event.
+        _indextime: Epoch time when the event was indexed.
+        _kv: Key-value extraction indicator.
+        _serial: Sequence number of the event.
+        _si: Splunk indexer and index information.
+        _sourcetype: Source type of the event data.
+        _time: Timestamp when the event occurred.
+        """
+        elif log_type == "azure-sign-in":
+            description += """ the columns from Azure-sign-in logs with their descriptions:
+        Source Type:
+        Type or category of the log.
+
+        Application Information:
+        - appDisplayName: The application name displayed in the Azure Portal.
+        - appId: The application identifier in Azure Active Directory.
+        - clientAppUsed: The legacy client used for sign-in activity.
+        - conditionalAccessStatus: The status of the conditional access policy triggered.
+        - correlationId: The identifier sent from the client when sign-in is initiated.
+        - createdDateTime: The date and time the sign-in was initiated in UTC.
+
+        Device Details:
+        - deviceDetail.browser: Browser details.
+        - deviceDetail.deviceId: Device ID.
+        - deviceDetail.displayName: Device display name.
+        - deviceDetail.isCompliant: Compliance status.
+        - deviceDetail.isManaged: Managed status.
+        - deviceDetail.operatingSystem: Operating system details.
+        - deviceDetail.trustType: Trust type.
+
+        Host Information:
+        - host: Tenant identifier.
+        - id: Sign-in activity identifier.
+        - ipAddress: Client IP address.
+        - isInteractive: Indicates whether a sign-in is interactive.
+
+        Location:
+        - location.city: City.
+        - location.countryOrRegion: Country or region.
+        - location.geoCoordinates.altitude: Altitude.
+        - location.geoCoordinates.latitude: Latitude.
+        - location.geoCoordinates.longitude: Longitude.
+        - location.state: State.
+
+        Resource Information:
+        - resourceDisplayName: Resource display name.
+        - resourceId: Resource identifier.
+
+        Risk Information:
+        - riskDetail: Reason behind the risk state.
+        - riskLevelAggregated: Aggregated risk level.
+        - riskLevelDuringSignIn: Risk level during sign-in.
+        - riskState: Risk state.
+
+        Sign-In Status Details:
+        - status.additionalDetails: Additional status details.
+        - status.errorCode: Error code.
+        - status.failureReason: Failure reason.
+
+        User Information:
+        - userDisplayName: User display name.
+        - userId: User identifier.
+        - userPrincipalName: User principal name.
+
+        Splunk Fields:
+        - timestartpos: Byte position where the timestamp starts.
+        - timeendpos: Byte position where the timestamp ends.
+
+        Audit Logs:
+
+        General Information:
+        - sourcetype: Audit
+        - host: Host name.
+        - id: Unique activity identifier.
+        - category: Category value.
+        - loggedByService: Service that logged the event.
+
+        Activity Information:
+        - activityDateTime: Date and time the activity occurred.
+        - activityDisplayName: Human-readable name for the activity.
+        - Level: Message type.
+
+        Actor Information:
+        - Actor: Name of the actor performing the operation.
+        - initiatedBy: Details of the initiator (app or user).
+
+        Operation Information:
+        - Command: Description of the operation performed.
+        - operationType: Type of operation.
+        - result: Result of the activity.
+        - ResultStatus: Result status.
+        - resultReason: Cause of failure or timeout results.
+
+        Target Information:
+        - Target_DisplayName: Activity or operation name.
+        - Target_ObjectID: Unique identifier for the target object.
+        - Target_userPrincipalName: UPN of the target user.
+        - targetResources: Details about the target resources.
+
+        Additional Details:
+        - additionalDetails: Key-value pairs of additional details.
+
+        New and Old Values:
+        - newValue: Value after the operation.
+        - oldValue: Value before the operation.
+        - modified_values: Difference between new and old value.
+
+        Splunk-Specific Information:
+        - timeendpos: Byte position where the timestamp ends.
+        - timestartpos: Byte position where the timestamp starts.
+        - value: Logged value.
+        - _bkt: Bucket ID in Splunk.
+        - _cd: Splunk internal ID.
+        - _indextime: Epoch time when the log was indexed.
+        - _serial: Serial number for the log entry.
+        - _si: Splunk indexer information.
+        - _sourcetype: Splunk sourcetype.
+        - _subsecond: Subsecond part of the timestamp.
+        - _time: Time the log was generated."""
+        elif log_type == "palo-alto":
+            description += """  the columns from Palo-alto logs with their descriptions:
+        - Receive Time: {Receive Time}
+        - Serial Number: {Serial Number}
+        - Type: SYSTEM
+        - Subtype: {Subtype}
+        - Generated Time: {Generated Time}
+        - Virtual System: {Virtual System}
+        - Event ID: {Event ID}
+        - Module: {Module} (only if Subtype is general)
+        - Severity: {Severity}
+        - Description: {Description}
+        - Sequence Number: {Sequence Number}
+        - Action Flags: {Action Flags}
+        - Device Group Hierarchy Levels: {Device Group Hierarchy Levels}
+        - Virtual System Name: {Virtual System Name}
+        - Device Name: {Device Name}
+        - Receive Time: {Receive Time}
+        - Serial Number: {Serial Number}
+        - Type: USERID
+        - Subtype: {Subtype} (login, logout, register-tag, unregister-tag)
+        - Generated Time: {Generated Time}
+        - Virtual System: {Virtual System}
+        - Command: {Command}
+        - User: {User}
+        - Source IP: {Source IP}
+        - Data Source Name: {Data Source Name}
+        - Event ID: {Event ID}
+        - Repeat Count: {Repeat Count}
+        - Timeout: {Timeout}
+        - Source Port: {Source Port}
+        - Destination Port: {Destination Port}
+        - Sequence Number: {Sequence Number}
+        - Action Flags: {Action Flags}
+        - Device Group Hierarchy Levels: {Device Group Hierarchy Levels}
+        - Virtual System Name: {Virtual System Name}
+        - Device Name: {Device Name}
+        - Virtual System ID: {Virtual System ID}
+        - sourcetype: {sourcetype}
+        - _raw: {raw log data}
+        - action: {action}
+        - action_flags: {action_flags}
+        - action_source: {action_source}
+        - app: {app}
+        - bytes: {bytes}
+        - bytes_in: {bytes_in}
+        - bytes_out: {bytes_out}
+        - client_ip: {client_ip}
+        - dest_ip: {dest_ip}
+        - dest_port: {dest_port}
+        - dest_translated_ip: {dest_translated_ip}
+        - dest_translated_port: {dest_translated_port}
+        - dest_zone: {dest_zone}
+        - duration: {duration}
+        - protocol: {protocol}
+        - receive_time: {receive_time}
+        - rule: {rule}
+        - sequence_number: {sequence_number}
+        - src_ip: {src_ip}
+        - src_port: {src_port}
+        - src_translated_ip: {src_translated_ip}
+        - src_translated_port: {src_translated_port}
+        - src_zone: {src_zone}
+        - start_time: {start_time}
+        - Receive Time: {Receive Time}
+        - Serial Number: {Serial Number}
+        - Threat/Content Type: {Threat/Content Type}
+        - Generate Time: {Generate Time}
+        - Source Address: {Source Address}
+        - Destination Address: {Destination Address}
+        - NAT Source IP: {NAT Source IP}
+        - NAT Destination IP: {NAT Destination IP}
+        - Rule Name: {Rule Name}
+        - Source User: {Source User}
+        - Destination User: {Destination User}
+        - Application: {Application}
+        - Virtual System: {Virtual System}
+        - Source Zone: {Source Zone}
+        - Destination Zone: {Destination Zone}
+        - Inbound Interface: {Inbound Interface}
+        - Outbound Interface: {Outbound Interface}
+        - Log Action: {Log Action}
+        - Session ID: {Session ID}
+        - Repeat Count: {Repeat Count}
+        - Source Port: {Source Port}
+        - Destination Port: {Destination Port}
+        - NAT Source Port: {NAT Source Port}
+        - NAT Destination Port: {NAT Destination Port}
+        - Flags: {Flags}
+        - IP Protocol: {IP Protocol}
+        - Action: {Action}
+        - URL/Filename: {URL/Filename}
+        - Threat/Content Name: {Threat/Content Name}
+        - Category: {Category}
+        - Severity: {Severity}
+        - Direction: {Direction}
+        - Sequence Number: {Sequence Number}
+        - Action Flags: {Action Flags}
+        - Source Country: {Source Country}
+        - Destination Country: {Destination Country}
+        - Content Type: {Content Type}
+        - PCAP ID: {PCAP ID}
+        - File Digest: {File Digest}
+        - Cloud: {Cloud}
+        - URL Index: {URL Index}
+        - User Agent: {User Agent}
+        - File Type: {File Type}
+        - X-Forwarded-For: {X-Forwarded-For}
+        - Referer: {Referer}
+        - Sender: {Sender}
+        - Subject: {Subject}
+        - Recipient: {Recipient}
+        - Report ID: {Report ID}
+        - Device Group Hierarchy: {Device Group Hierarchy}
+        - Virtual System Name: {Virtual System Name}
+        - Device Name: {Device Name}
+        - Source VM UUID: {Source VM UUID}
+        - Destination VM UUID: {Destination VM UUID}
+        - HTTP Method: {HTTP Method}
+        - Tunnel ID/IMSI: {Tunnel ID/IMSI}
+        - Monitor Tag/IMEI: {Monitor Tag/IMEI}
+        - Parent Session ID: {Parent Session ID}
+        - Parent Session Start Time: {Parent Session Start Time}
+        - Tunnel Type: {Tunnel Type}
+        - Threat Category: {Threat Category}
+        - Content Version: {Content Version}
+        - SCTP Association ID: {SCTP Association ID}
+        - Payload Protocol ID: {Payload Protocol ID}
+        - HTTP Headers: {HTTP Headers}
+        - URL Category List: {URL Category List}
+        - Rule UUID: {Rule UUID}
+        - HTTP/2 Connection: {HTTP/2 Connection}
+        - Dynamic User Group Name: {Dynamic User Group Name}
+        - XFF Address: {XFF Address}
+        - Source Device Category: {Source Device Category}
+        - Source Device Profile: {Source Device Profile}
+        - Source Device Model: {Source Device Model}
+        - Source Device Vendor: {Source Device Vendor}
+        - Source Device OS Family: {Source Device OS Family}
+        - Source Device OS Version: {Source Device OS Version}
+        - Source Hostname: {Source Hostname}
+        - Source MAC Address: {Source MAC Address}
+        - Destination Device Category: {Destination Device Category}
+        - Destination Device Profile: {Destination Device Profile}
+        """
+
+        elif log_type == "office365":
+            description += """ the columns from Microsoft 365 logs with their descriptions:
+
+        Sourcetype: The type or category of the log source, indicating the origin or format of the log data.
+
+        _raw: The raw log message as received by the logging system, containing the complete unprocessed log entry.
+
+        ChatThreadId: The unique identifier of a chat thread, used to group messages within the same conversation.
+
+        CommunicationType: The type of communication, such as chat, call, or meeting.
+
+        CreationTime: The timestamp when the log entry or event was created.
+
+        Id: A unique identifier for the log entry or event.
+
+        ItemName: The name of the item involved in the event, such as a message or file.
+
+        MessageId: The unique identifier of a specific message.
+
+        MessageVersion: The version of the message, indicating updates or edits.
+
+        MessageVisibilityTime: The time when the message became visible to users.
+
+        Operation: The specific operation or action that was performed (e.g., send, delete).
+
+        OrganizationId: The unique identifier of the organization to which the event is related.
+
+        ParticipantInfo.HasForeignTenantUsers: Indicates if the chat or communication includes users from foreign tenants.
+
+        ParticipantInfo.HasGuestUsers: Indicates if the chat includes guest users.
+
+        ParticipantInfo.HasOtherGuestUsers: Indicates if there are other guest users involved.
+
+        ParticipantInfo.HasUnauthenticatedUsers: Indicates if there are unauthenticated users participating.
+
+        ParticipantInfo.ParticipatingTenantIds{}: The IDs of tenants participating in the communication.
+
+        RecordType: The type of record, often indicating the category of the log (e.g., message, call).
+
+        ResourceTenantId: The tenant ID associated with the resource being accessed or modified.
+
+        UserId: The unique identifier of the user involved in the event.
+
+        UserKey: A key associated with the user, often used for authentication or identification.
+
+        UserType: The type of user (e.g., member, guest).
+
+        Version: The version of the log schema or format.
+
+        Workload: The specific Microsoft service or workload related to the event (e.g., Teams, Exchange).
+
+        App: The application involved in the event.
+
+        Authentication_service: The authentication service used for the event.
+
+        Command: The specific command executed as part of the event.
+
+        Dest: The destination involved in the event.
+
+        Dest_name: The name of the destination.
+
+        Dvc: Device information related to the event.
+
+        Host: The host or server where the event occurred.
+
+        Record_type: Another field indicating the type of record.
+
+        Result: The outcome or result of the operation (e.g., success, failure).
+
+        Signature: A signature related to the event, often for verification purposes.
+
+        Status: The status of the event or operation (e.g., completed, pending).
+
+        Tenant_id: The unique identifier of the tenant where the event occurred.
+
+        Timeendpos: The end time position of the event.
+
+        Timestartpos: The start time position of the event.
+
+        User: General information about the user involved in the event.
+
+        User_id: The unique identifier of the user.
+
+        User_type: The type of user (similar to UserType).
+
+        Vendor_account: The account associated with the vendor.
+
+        Vendor_product: The product associated with the vendor.
+
+        _bkt: The bucket where the log data is stored.
+
+        _cd: The cluster ID in a distributed system.
+
+        _indextime: The time when the log entry was indexed.
+
+        _serial: A serial number or sequence identifier for the log entry.
+
+        _si: An array containing additional internal identifiers."""
+            
+    return list(set(description))

format_input.py

@@ -0,0 +1,259 @@
+import re
+import sys
+import os
+
+# Add the project root to sys.path
+sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
+
+from location.IP_Checker import get_all_details
+
+def append_severity_definition(log_text):
+    severity_definitions = {
+        "Information": "The event provides useful context but is not critical.",
+        "Notice": "Signifies noteworthy event that do not require immediate action.",
+        "Warning": "Indicates potential issue that should be addressed and should be investigated before escalation.",
+        "Error": "Indicates a problem that needs to be resolved and impacts system functionality but doesn't cause immediate service disruption.",
+        "Critical": "Indicates a severe issue that causes significant loss of service and requires immediate attention.",
+    }
+
+    match = re.search(r"Severity:\s*(\S+)", log_text)
+    if match:
+        severity = match.group(1)
+        definition = severity_definitions.get(severity)
+        if definition:
+            log_text = re.sub(
+                r"(Severity:\s*" + re.escape(severity) + r")\n",
+                r"\1\n    - Severity Definition: " + definition + "\n",
+                log_text,
+            )
+    return log_text
+
+
+def format_sophos_row(row):
+    def get_value(key, default="Unknown"):
+        return row.get(key, default)
+
+    return f"""
+- Device Information
+    - Device Name: {get_value("device_name")}
+    - Device Model: {get_value("device_model")}
+    - Device Serial ID: {get_value("device_serial_id")}
+
+- Connection Details
+    - Source IP: {get_value("src_ip")}
+    - Source Country: {get_value("src_country", "Unknown") if get_value("src_country") != 'R1' else "Unknown"}
+    - Destination IP: {get_value("dst_ip")}
+    - Destination Country: {get_value("dst_country", "Unknown") if get_value("dst_country") != 'R1' else "Unknown"}
+    - Protocol: {get_value("protocol")}
+    - Source Port: {get_value("src_port")}
+    - Destination Port: {get_value("dst_port")}
+    - Timestamp: {get_value("timestamp")}
+
+- Log Information
+    - Log Type: {get_value("log_type")}
+    - Log Component: {get_value("log_component")}
+    - Log Subtype: {get_value("log_subtype")}
+    - Severity: {get_value("severity")}
+
+- Additional Information
+    - Heartbeat Status: {get_value("hb_status")}
+    - Application Resolved By: {get_value("app_resolved_by")}
+    - Application Is Cloud: {get_value("app_is_cloud")}
+"""
+
+
+def format_azure_sign_in_logs(data_row):
+    def get_value(key, default="Unknown"):
+        return data_row.get(key, default)
+
+    device_detail = (
+        f"\n- Device Detail:"
+        f"\n Device ID: {get_value('deviceDetail_deviceId')}"
+        f"\n Display Name: {get_value('deviceDetail_displayName')}"
+        f"\n Operating System: {get_value('deviceDetail_operatingSystem')}"
+        f"\n Browser: {get_value('deviceDetail_browser')}"
+        f"\n Compliance: {get_value('deviceDetail_isCompliant')}"
+        f"\n Managed: {get_value('deviceDetail_isManaged')}"
+        f"\n Trust Type: {get_value('deviceDetail_trustType')}"
+    )
+
+    location = (
+        f"\n- Location:"
+        f"\n City: {get_value('location_city')}"
+        f"\n State: {get_value('location_state')}"
+        f"\n Country/Region: {get_value('location_countryOrRegion')}"
+        f"\n Latitude: {get_value('location_geoCoordinates_latitude')}"
+        f"\n Longitude: {get_value('location_geoCoordinates_longitude')}"
+    )
+
+    return (
+        f"Created Date: {get_value('createdDateTime')}\n"
+        f"User: {get_value('userDisplayName')}\n"
+        f"User Principal Name: {get_value('userPrincipalName')}\n"
+        f"User ID: {get_value('userId')}\n"
+        f"Application ID: {get_value('appId')}\n"
+        f"Application Display Name: {get_value('appDisplayName')}\n"
+        f"IP Address: {get_value('ipAddress')}\n"
+        f"More information about Location:{get_all_details({get_value('ipAddress')})}"
+        f"Client App Used: {get_value('clientAppUsed')}\n"
+        f"Conditional Access Status: {get_value('conditionalAccessStatus')}\n"
+        f"{device_detail}\n"
+        f"{location}\n"
+        f"- Status: {get_value('status_additionalDetails')}\n"
+    )
+
+
+def format_palo_alto_logs(data_row):
+    def get_value(key, default="Unknown"):
+        return data_row.get(key, default)
+
+    core_identifiers = (
+        f"Source: {get_value('src')}\n"
+        f"Destination: {get_value('dest')}\n"
+        f"Source IP: {get_value('src_ip')}\n"
+        f"Destination IP: {get_value('dest_ip')}\n"
+        f"Source Port: {get_value('src_port')}\n"
+        f"Destination Port: {get_value('dest_port')}\n"
+        f"Protocol: {get_value('protocol')}\n"
+    )
+
+    traffic_volume = (
+        f"Bytes: {get_value('bytes')}\n"
+        f"Bytes In: {get_value('bytes_in')}\n"
+        f"Bytes Out: {get_value('bytes_out')}\n"
+        f"Packets: {get_value('packets')}\n"
+        f"Packets In: {get_value('packets_in')}\n"
+        f"Packets Out: {get_value('packets_out')}\n"
+    )
+
+    temporal_info = (
+        f"Start Time: {get_value('start_time')}\n"
+        f"Date: {get_value('date_year')}-{get_value('date_month')}-{get_value('date_mday')} "
+        f"{get_value('date_hour')}:{get_value('date_minute')}:{get_value('date_second')}\n"
+        f"Duration: {get_value('duration')}\n"
+    )
+
+    network_device_info = (
+        f"Source Zone: {get_value('src_zone')}\n"
+        f"Destination Zone: {get_value('dest_zone')}\n"
+        f"Source Interface: {get_value('src_interface')}\n"
+        f"Destination Interface: {get_value('dest_interface')}\n"
+        f"Device ID: {get_value('dvc')}\n"
+        f"Device Name: {get_value('dvc_name')}\n"
+    )
+
+    app_user_info = (
+        f"Application: {get_value('application')}\n"
+        f"User: {get_value('user')}\n"
+        f"User Agent: {get_value('user_agent')}\n"
+    )
+
+    security_info = (
+        f"Action: {get_value('action')}\n"
+        f"Severity: {get_value('severity')}\n"
+        f"Threat: {get_value('threat')}\n"
+        f"Threat Category: {get_value('threat_category')}\n"
+        f"Signature: {get_value('signature')}\n"
+        f"Signature ID: {get_value('signature_id')}\n"
+    )
+
+    return (
+        f"{core_identifiers}\n"
+        f"{traffic_volume}\n"
+        f"{temporal_info}\n"
+        f"{network_device_info}\n"
+        f"{app_user_info}\n"
+        f"{security_info}\n"
+    )
+
+def format_office365_logs(data_row):
+    def get_value(key, default="Unknown"):
+        return data_row.get(key, default)
+
+    actor_info = (
+        f"- Actor Information:\n"
+        f"    - User ID: {get_value('UserId')}\n"
+        f"    - User Key: {get_value('UserKey')}\n"
+        f"    - User Type: {get_value('UserType')}\n"
+        f"    - User Principal Name: {get_value('UserPrincipalName')}\n"
+        f"    - Actor IP Address: {get_value('ActorIpAddress')}\n"
+    )
+
+    device_info = (
+        f"- Device Information:\n"
+        f"    - Client IP: {get_value('ClientIP')}\n"
+        f"    - Client App ID: {get_value('ClientAppId')}\n"
+        f"    - Client App Name: {get_value('AppAccessContext.ClientAppName')}\n"
+        f"    - Device ID: {get_value('DeviceId')}\n"
+        f"    - Device Name: {get_value('DeviceName')}\n"
+        f"    - Device Operating System: {get_value('DeviceOperatingSystem')}\n"
+    )
+
+    operation_info = (
+        f"- Operation Information:\n"
+        f"    - Operation: {get_value('Operation')}\n"
+        f"    - Operation Properties: {get_value('OperationProperties')}\n"
+        f"    - Object ID: {get_value('ObjectId')}\n"
+        f"    - Object Type: {get_value('ObjectType')}\n"
+        f"    - Object Name: {get_value('ObjectName')}\n"
+    )
+
+    policy_info = (
+        f"- Policy Information:\n"
+        f"    - Policy Details: {get_value('PolicyDetails')}\n"
+        f"    - Policy Identifier: {get_value('PolicyIdentifierString')}\n"
+        f"    - Policy Last Updated Time: {get_value('PolicyLastUpdatedTime')}\n"
+    )
+
+    event_info = (
+        f"- Event Information:\n"
+        f"    - Creation Time: {get_value('CreationTime')}\n"
+        f"    - Result Status: {get_value('ResultStatus')}\n"
+        f"    - Record Type: {get_value('RecordType')}\n"
+        f"    - Request ID: {get_value('RequestId')}\n"
+        f"    - Organization ID: {get_value('OrganizationId')}\n"
+        f"    - Organization Name: {get_value('OrganizationName')}\n"
+        f"    - Tenant ID: {get_value('TenantId')}\n"
+    )
+
+    additional_info = (
+        f"- Additional Information:\n"
+        f"    - App Display Name: {get_value('ApplicationDisplayName')}\n"
+        f"    - User Agent: {get_value('UserAgent')}\n"
+        f"    - Session ID: {get_value('SessionId')}\n"
+    )
+
+    return (
+        f"{actor_info}\n"
+        f"{device_info}\n"
+        f"{operation_info}\n"
+        f"{policy_info}\n"
+        f"{event_info}\n"
+        f"{additional_info}\n"
+    )
+
+
+def flatten_json(json_data, parent_key="", separator="_"):
+    def _flatten(obj, parent_key=""):
+        items = {}
+        for k, v in obj.items():
+            new_key = f"{parent_key}{separator}{k}" if parent_key else k
+            if isinstance(v, dict):
+                items.update(_flatten(v, new_key))
+            else:
+                items[new_key] = v
+        return items
+
+    return _flatten(json_data, parent_key)
+
+def detect_log_type(log_data):
+    if "device_name" in log_data and "src_ip" in log_data and "dst_ip" in log_data:
+        return "sophos"
+    elif "userPrincipalName" in log_data and "ipAddress" in log_data:
+        return "azure-sign-in"
+    elif "src" in log_data and "dest" in log_data and "severity" in log_data:
+        return "palo-alto"
+    elif "UserId" in log_data and "ClientIP" in log_data and "Operation" in log_data:
+        return "office365"
+    else:
+        return "Unknown"

testing_input.py

@@ -0,0 +1,34 @@
+   # Example log input
+log_input = """
+user	total_count_by_user	ClientIP	count	cyences_severity	Country	Region	City	Last_Failed_Login	user_type	authentication_method	LogonError	failureReason	additionalDetails	appDisplayName	clientAppUsed	conditionalAccessStatus	isInteractive	ExtendedProperties	ApplicationId
+cradmin@crossrealms.com	58	2601:249:8e80:bf40:f0e5:db8:d44d:fe35	1	info	United States	Illinois	Chicago	2023-07-24 14:06:19 PDT	Regular	Password	UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 UserAuthenticationMethod : 1	00000006-0000-0ff1-ce00-000000000000
+jlaing@crossrealms.com	55	162.204.225.100	53	info	United States	Illinois	Highland Park	2023-09-19 13:10:10 PDT	Regular	Password	InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login RequestType : Login:reprocess RequestType : OAuth2:Authorize RequestType : OAuth2:Token RequestType : SAS:BeginAuth RequestType : SAS:EndAuth ResultStatusDetail : Success ResultStatusDetail : UserError UserAgent : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E) UserAgent : Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19044 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19044 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22621 UserAgent : Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 UserAgent : Windows-AzureAD-Authentication-Provider/1.0 UserAuthenticationMethod : 1	1fec8e78-bce4-4aaf-ab1b-5451cc387264 29d9ed98-a469-4536-ade2-f981bc1d605e 386ce8c0-7421-48c9-a1df-2a532400339f 38aa3b87-a06d-4817-b275-7a316988d93b 4765445b-32c6-49b0-83e6-1d93765276ca 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 6204c1d1-4712-4c46-a7d9-3ed63d992682 7f67af8a-fedc-4b08-8b4e-37c4d127b6cf 81feaced-5ddd-41e7-8bef-3e20a2689bb7 871c010f-5e61-4fb1-83ac-98610a7e9110 8c59ead7-d703-4a27-9e55-c96a0054c8d2 c44b4083-3bb0-49c1-b47d-974e53cbdf3c dd762716-544d-4aeb-a526-687b73838a22 de50c81f-5f80-4771-b66b-cebd28ccdfc1
+jlaing@crossrealms.com	55	20.80.3.238	2	info	United States	Illinois	Chicago	2023-08-30 08:16:06 PDT	Regular	Password	UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0) UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 UserAuthenticationMethod : 1	00000002-0000-0ff1-ce00-000000000000 386ce8c0-7421-48c9-a1df-2a532400339f
+ayamani_admin@crossrealms.com	48	38.100.101.129	12	info	United States	Illinois	Chicago	2023-09-19 09:57:01 PDT	Regular	Password	FlowTokenExpired InvalidUserNameOrPassword PasswordResetRegistrationRequiredInterrupt UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login RequestType : Login:reprocess RequestType : SAS:BeginAuth RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.62 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.81 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.31 UserAuthenticationMethod : 1	00000002-0000-0ff1-ce00-000000000000 4765445b-32c6-49b0-83e6-1d93765276ca c44b4083-3bb0-49c1-b47d-974e53cbdf3c
+ayamani_admin@crossrealms.com	48	92.253.31.66	8	info	Jordan	Amman Governorate	Amman	2023-07-31 11:43:53 PDT	Regular	Password	FlowTokenExpired InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login RequestType : Login:reprocess RequestType : SAS:BeginAuth RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAuthenticationMethod : 1	4765445b-32c6-49b0-83e6-1d93765276ca c44b4083-3bb0-49c1-b47d-974e53cbdf3c
+ayamani_admin@crossrealms.com	48	176.28.251.92	3	info	Jordan	Amman Governorate	Amman	2023-09-12 06:07:40 PDT	Regular	Password	UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login RequestType : SAS:BeginAuth RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E) UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76 UserAuthenticationMethod : 1	1b730954-1685-4b74-9bfd-dac224a7b894 4765445b-32c6-49b0-83e6-1d93765276ca
+ayamani_admin@crossrealms.com	48	176.29.167.129	3	info	Jordan	Amman Governorate	Amman	2023-09-13 02:18:06 PDT	Regular	Password	InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E) UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76 UserAuthenticationMethod : 1	497effe9-df71-4043-a8bb-14cf78c4b63b fb78d390-0c51-40cd-8e17-fdbfab77341b
+ayamani_admin@crossrealms.com	48	2a01:9700:1171:d000:250c:d479:a88:5c36	3	info	Jordan	Amman Governorate	Amman	2023-07-31 04:47:04 PDT	Regular	Password	InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAuthenticationMethod : 1	c44b4083-3bb0-49c1-b47d-974e53cbdf3c
+ayamani_admin@crossrealms.com	48	2a01:9700:1171:d000:29d7:9fc3:5711:b610	3	info	Jordan	Amman Governorate	Amman	2023-07-31 13:38:06 PDT	Regular	Password	FlowTokenExpired InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAuthenticationMethod : 1	c44b4083-3bb0-49c1-b47d-974e53cbdf3c
+ayamani_admin@crossrealms.com	48	2a01:9700:1171:d000:581c:4679:86cd:4530	3	info	Jordan	Amman Governorate	Amman	2023-07-31 14:15:30 PDT	Regular	Password	InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAuthenticationMethod : 1	c44b4083-3bb0-49c1-b47d-974e53cbdf3c
+ayamani_admin@crossrealms.com	48	46.185.168.168	3	info	Jordan	Amman Governorate	Amman	2023-09-01 04:41:07 PDT	Regular	Password	PasswordResetRegistrationRequiredInterrupt UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login RequestType : Login:reprocess RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E) UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.62 UserAuthenticationMethod : 1	1b730954-1685-4b74-9bfd-dac224a7b894 c44b4083-3bb0-49c1-b47d-974e53cbdf3c
+ayamani_admin@crossrealms.com	48	92.253.31.230	3	info	Jordan	Amman Governorate	Amman	2023-09-14 10:06:28 PDT	Regular	Password	InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login RequestType : SAS:BeginAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.81 UserAuthenticationMethod : 1	c44b4083-3bb0-49c1-b47d-974e53cbdf3c
+ayamani_admin@crossrealms.com	48	86.108.19.83	2	info	Jordan	Amman Governorate	Amman	2023-09-25 04:11:48 PDT	Regular	Password	InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login RequestType : SAS:BeginAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.41 UserAuthenticationMethod : 1	c44b4083-3bb0-49c1-b47d-974e53cbdf3c
+ayamani_admin@crossrealms.com	48	2a01:9700:1171:d000:28db:e128:dfb8:a499	1	info	Jordan	Amman Governorate	Amman	2023-07-31 14:32:31 PDT	Regular	Password	UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAuthenticationMethod : 1	c44b4083-3bb0-49c1-b47d-974e53cbdf3c
+ayamani_admin@crossrealms.com	48	2a01:9700:1171:d000:8829:825f:40d1:314a	1	info	Jordan	Amman Governorate	Amman	2023-07-31 11:15:05 PDT	Regular	Password	UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login RequestType : SAS:BeginAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAuthenticationMethod : 1	c44b4083-3bb0-49c1-b47d-974e53cbdf3c
+ayamani_admin@crossrealms.com	48	2a01:9700:1171:d000:a905:7f34:b0a0:5902	1	info	Jordan	Amman Governorate	Amman	2023-07-31 04:02:21 PDT	Regular	Password	UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login RequestType : SAS:BeginAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAuthenticationMethod : 1	c44b4083-3bb0-49c1-b47d-974e53cbdf3c
+ayamani_admin@crossrealms.com	48	2a01:9700:1171:d000:a966:d9c7:927b:7206	1	info	Jordan	Amman Governorate	Amman	2023-07-31 05:02:19 PDT	Regular	Password	InvalidUserNameOrPassword							RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAuthenticationMethod : 1	c44b4083-3bb0-49c1-b47d-974e53cbdf3c
+ayamani_admin@crossrealms.com	48	2a01:9700:1171:d000:aca3:934a:6a67:bf20	1	info	Jordan	Amman Governorate	Amman	2023-07-31 14:51:06 PDT	Regular	Password	UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188 UserAuthenticationMethod : 1	c44b4083-3bb0-49c1-b47d-974e53cbdf3c
+iobaid@crossrealms.com	42	5.46.192.89	12	info	Türkiye	Istanbul	Istanbul	2023-07-31 00:30:54 PDT	Regular	Password	AuthenticationFailedSasError BlockedByConditionalAccess FlowTokenExpired InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login RequestType : SAS:BeginAuth RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 UserAgent : Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) PKeyAuth/1.0 UserAuthenticationMethod : 1	1fec8e78-bce4-4aaf-ab1b-5451cc387264 27922004-5251-4030-b22d-91ecd9a37ea4
+iobaid@crossrealms.com	42	159.146.45.29	11	info	Türkiye	Istanbul	Istanbul	2023-09-18 04:45:47 PDT	Regular	Password	AdminConsentRequiredRequestAccess InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login RequestType : Login:reprocess RequestType : OAuth2:Authorize RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.62 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22621 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22621 UserAgent : Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1 UserAuthenticationMethod : 1	00000003-0000-0ff1-ce00-000000000000 0000000c-0000-0000-c000-000000000000 1fec8e78-bce4-4aaf-ab1b-5451cc387264 29d9ed98-a469-4536-ade2-f981bc1d605e 4765445b-32c6-49b0-83e6-1d93765276ca
+iobaid@crossrealms.com	42	159.146.14.253	5	info	Türkiye	Istanbul	Istanbul	2023-08-14 02:29:10 PDT	Regular	Password	InvalidUserNameOrPassword							RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 UserAuthenticationMethod : 1	00000002-0000-0ff1-ce00-000000000000
+iobaid@crossrealms.com	42	159.146.18.252	4	info	Türkiye	Istanbul	Istanbul	2023-09-21 22:54:07 PDT	Regular	Password	InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 UserAgent : Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1 UserAuthenticationMethod : 1	00000002-0000-0ff1-ce00-000000000000 18fbca16-2224-45f6-85b0-f7bf2b39b3f3
+iobaid@crossrealms.com	42	159.146.45.117	4	info	Türkiye	Istanbul	Istanbul	2023-09-06 01:17:23 PDT	Regular	Password	InvalidUserNameOrPassword							RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22621 UserAuthenticationMethod : 1	29d9ed98-a469-4536-ade2-f981bc1d605e
+iobaid@crossrealms.com	42	5.46.251.148	3	info	Türkiye	Istanbul	Istanbul	2023-09-22 13:30:35 PDT	Regular	Password	UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1 UserAuthenticationMethod : 1	00000003-0000-0ff1-ce00-000000000000
+iobaid@crossrealms.com	42	159.146.14.116	1	info	Türkiye	Istanbul	Istanbul	2023-08-20 23:39:56 PDT	Regular	Password	UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1 UserAuthenticationMethod : 1	00000003-0000-0ff1-ce00-000000000000
+iobaid@crossrealms.com	42	159.146.14.128	1	info	Türkiye	Istanbul	Istanbul	2023-08-15 07:56:14 PDT	Regular	Password	UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1 UserAuthenticationMethod : 1	00000003-0000-0ff1-ce00-000000000000
+iobaid@crossrealms.com	42	159.146.18.85	1	info	Türkiye	Istanbul	Istanbul	2023-08-18 08:59:58 PDT	Regular	Password	UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1 UserAuthenticationMethod : 1	00000003-0000-0ff1-ce00-000000000000
+htailooni@crossrealms.com	40	79.173.219.190	12	info	Jordan	Amman Governorate	Amman	2023-07-27 23:12:59 PDT	Regular	Password	FlowTokenExpired UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login RequestType : SAS:BeginAuth RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.183 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22621 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22621 UserAuthenticationMethod : 1	00000002-0000-0ff1-ce00-000000000000 1fec8e78-bce4-4aaf-ab1b-5451cc387264 29d9ed98-a469-4536-ade2-f981bc1d605e d3590ed6-52b3-4102-aeff-aad2292ab01c
+htailooni@crossrealms.com	40	92.253.31.230	9	info	Jordan	Amman Governorate	Amman	2023-09-14 10:32:22 PDT	Regular	Password	InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.81 UserAuthenticationMethod : 1	00000002-0000-0ff1-ce00-000000000000
+htailooni@crossrealms.com	40	94.249.108.201	6	info	Jordan	Amman Governorate	Amman	2023-08-28 06:00:20 PDT	Regular	Password	FlowTokenExpired InvalidUserNameOrPassword UserStrongAuthClientAuthNRequiredInterrupt							RequestType : Login:login RequestType : OAuth2:Authorize RequestType : SAS:BeginAuth RequestType : SAS:EndAuth ResultStatusDetail : Success UserAgent : Mozilla/5.0 (Linux; Android 10; MAR-LX1M Build/HUAWEIMAR-L21MEA; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/115.0.5790.166 Mobile Safari/537.36 PKeyAuth/1.0 UserAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22621 UserAuthenticationMethod : 1	1fec8e78-bce4-4aaf-ab1b-5451cc387264 d3590ed6-52b3-4102-aeff-aad2292ab01c dd762716-544d-4aeb-a526-687b73838a22
+"""