Algorithm-ToNumberMunger

 view release on metacpan or  search on metacpan

lib/Algorithm/ToNumberMunger.pm  view on Meta::CPAN

			# Azure AD / Entra sign-in ResultType codes collapsed to a compact
			# reason category -- the raw code is a huge sparse space whose
			# magnitude carries no signal. Keys are the numeric codes as
			# logged; only the common subset is baked in, the rest take the
			# default.
			'0'      => 0,    # success
			'50126'  => 1,    # invalid username or password
			'50056'  => 1,    # invalid or null password
			'50034'  => 2,    # user does not exist in directory
			'50057'  => 3,    # account disabled
			'50053'  => 4,    # account locked / smart lockout
			'50055'  => 5,    # password expired
			'50144'  => 5,    # AD password expired
			'50074'  => 6,    # strong auth (MFA) required
			'50076'  => 6,    # MFA required by conditional access
			'50079'  => 6,    # user must enroll for MFA
			'500121' => 7,    # MFA denied / authentication failed
			'50158'  => 7,    # external security challenge not satisfied
			'53003'  => 8,    # blocked by conditional access
			'53000'  => 8,    # device not compliant (CA)
			'53001'  => 8,    # device not domain joined (CA)
			'530032' => 8,    # blocked by security policy (CA)
			'50173'  => 9,    # fresh auth token required (session expired)
		},
	},
	risk_level => {
		numeric => 0,
		map     => {
			# Entra Identity Protection riskLevel, ordinal. hidden /
			# unknownFutureValue are left to the default.
			none   => 0,
			low    => 1,
			medium => 2,
			high   => 3,
		},
	},
	aws_principal_type => {
		numeric => 0,
		map     => {
			# CloudTrail userIdentity.type. Nominal (distinct stable numbers);
			# 'root' is the value you actually alert on.
			do {
				my @o = qw(
					root iamuser assumedrole federateduser samluser
					webidentityuser directory identitycenteruser
					awsaccount awsservice unknown
				);
				map { $o[$_] => $_ } 0 .. $#o;
			},
		},
	},
	aad_client_app => {
		numeric => 0,
		map     => {
			# Azure AD ClientAppUsed. Numbered so the modern clients sort low
			# and the legacy-auth protocols (which cannot do MFA) sort high --
			# a ">= 2 means legacy auth" threshold is the feature you want.
			do {
				my %m = (
					'browser'                         => 0,
					'mobile apps and desktop clients' => 1,
				);
				my @legacy = (
					'exchange activesync',
					'imap4',
					'pop3',
					'authenticated smtp',
					'smtp',
					'mapi over http',
					'exchange web services',
					'exchange online powershell',
					'autodiscover',
					'offline address book',
					'other clients',
				);
				my $i = 2;
				$m{$_}     = $i++ for @legacy;
				$m{'imap'} = $m{'imap4'};
				$m{'pop'}  = $m{'pop3'};
				$m{'mapi'} = $m{'mapi over http'};
				%m;
			},
		},
	},
	risk_state => {
		numeric => 0,
		map     => {
			# Entra Identity Protection riskState.
			none                 => 0,
			confirmedsafe        => 1,
			remediated           => 2,
			dismissed            => 3,
			atrisk               => 4,
			confirmedcompromised => 5,
		},
	},
	vpc_flow_log_status => {
		numeric => 0,
		map     => {
			# VPC Flow Logs log-status.
			ok       => 0,
			nodata   => 1,
			skipdata => 2,
		},
	},
	aws_event_type => {
		numeric => 0,
		map     => {
			# CloudTrail eventType. AwsConsoleSignIn is the one you flag.
			awsapicall           => 0,
			awsserviceevent      => 1,
			awsconsoleaction     => 2,
			awsconsolesignin     => 3,
			awscloudtrailinsight => 4,
		},
	},
	conditional_access_result => {
		numeric => 0,
		map     => {
			# Azure AD sign-in conditionalAccessStatus.
			success    => 0,



( run in 2.070 seconds using v1.01-cache-2.11-cpan-7fcb06a456a )