Algorithm-ToNumberMunger
view release on metacpan or search on metacpan
lib/Algorithm/ToNumberMunger.pm view on Meta::CPAN
# Azure AD / Entra sign-in ResultType codes collapsed to a compact
# reason category -- the raw code is a huge sparse space whose
# magnitude carries no signal. Keys are the numeric codes as
# logged; only the common subset is baked in, the rest take the
# default.
'0' => 0, # success
'50126' => 1, # invalid username or password
'50056' => 1, # invalid or null password
'50034' => 2, # user does not exist in directory
'50057' => 3, # account disabled
'50053' => 4, # account locked / smart lockout
'50055' => 5, # password expired
'50144' => 5, # AD password expired
'50074' => 6, # strong auth (MFA) required
'50076' => 6, # MFA required by conditional access
'50079' => 6, # user must enroll for MFA
'500121' => 7, # MFA denied / authentication failed
'50158' => 7, # external security challenge not satisfied
'53003' => 8, # blocked by conditional access
'53000' => 8, # device not compliant (CA)
'53001' => 8, # device not domain joined (CA)
'530032' => 8, # blocked by security policy (CA)
'50173' => 9, # fresh auth token required (session expired)
},
},
risk_level => {
numeric => 0,
map => {
# Entra Identity Protection riskLevel, ordinal. hidden /
# unknownFutureValue are left to the default.
none => 0,
low => 1,
medium => 2,
high => 3,
},
},
aws_principal_type => {
numeric => 0,
map => {
# CloudTrail userIdentity.type. Nominal (distinct stable numbers);
# 'root' is the value you actually alert on.
do {
my @o = qw(
root iamuser assumedrole federateduser samluser
webidentityuser directory identitycenteruser
awsaccount awsservice unknown
);
map { $o[$_] => $_ } 0 .. $#o;
},
},
},
aad_client_app => {
numeric => 0,
map => {
# Azure AD ClientAppUsed. Numbered so the modern clients sort low
# and the legacy-auth protocols (which cannot do MFA) sort high --
# a ">= 2 means legacy auth" threshold is the feature you want.
do {
my %m = (
'browser' => 0,
'mobile apps and desktop clients' => 1,
);
my @legacy = (
'exchange activesync',
'imap4',
'pop3',
'authenticated smtp',
'smtp',
'mapi over http',
'exchange web services',
'exchange online powershell',
'autodiscover',
'offline address book',
'other clients',
);
my $i = 2;
$m{$_} = $i++ for @legacy;
$m{'imap'} = $m{'imap4'};
$m{'pop'} = $m{'pop3'};
$m{'mapi'} = $m{'mapi over http'};
%m;
},
},
},
risk_state => {
numeric => 0,
map => {
# Entra Identity Protection riskState.
none => 0,
confirmedsafe => 1,
remediated => 2,
dismissed => 3,
atrisk => 4,
confirmedcompromised => 5,
},
},
vpc_flow_log_status => {
numeric => 0,
map => {
# VPC Flow Logs log-status.
ok => 0,
nodata => 1,
skipdata => 2,
},
},
aws_event_type => {
numeric => 0,
map => {
# CloudTrail eventType. AwsConsoleSignIn is the one you flag.
awsapicall => 0,
awsserviceevent => 1,
awsconsoleaction => 2,
awsconsolesignin => 3,
awscloudtrailinsight => 4,
},
},
conditional_access_result => {
numeric => 0,
map => {
# Azure AD sign-in conditionalAccessStatus.
success => 0,
( run in 2.070 seconds using v1.01-cache-2.11-cpan-7fcb06a456a )