Fix: Microsoft Intune Warning (358)

[vg-svitla]

Fixes 358

[github-actions]

Smart descriptions generated from the latest tests at 2025-01-16 07:58:58:

Test File	Smart Description
Microsoft/microsoft-intune/tests/ActorType1.json	Operation Rename device ManagedDevice performed by [email protected]
Microsoft/microsoft-intune/tests/AuditLogs.json	Operation Delete MobileAppAssignment performed by [email protected]
Microsoft/microsoft-intune/tests/DeviceComplianceOrg.json	Operation DeviceCompliance performed on device DESKTOP-086N6KI
Microsoft/microsoft-intune/tests/Devices.json	Operation Devices performed on device Pipin.Saquet_AndroidForWork_10/17/2022_2:23 PM
Microsoft/microsoft-intune/tests/OperationalLogs.json	Operation Compliance performed on device TheShire-W744
Microsoft/microsoft-intune/tests/Warning1.json	{"time":"2025-01-08T13:56:29.0164321Z","resourceId":"/TENANTS/XXXXXXX-XXX-XXXXXXX-XXXXX/PROVIDERS/MICROSOFT.AADIAM","operationName":"Microsoft Graph Activity","operationVersion":"beta","category":"MicrosoftGraphActivityLogs","resultSignature":"200","durationMs":"305512","callerIpAddress":"1.2.3.4","correlationId":"xxxxxxx-xxx-xxxx-xxxx-xxx","level":"Informational","location":"Central US","properties":{"__UDI_RequiredFields_TenantId":"XXXXXXX-XXX-XXXXXXX-XXXXX","__UDI_RequiredFields_UniqueId":"xxxxxxx-xxx-xxxx-xxxx-xxx","__UDI_RequiredFields_EventTime":638719413890000000,"__UDI_RequiredFields_RegionScope":"NA","timeGenerated":"2025-01-08T13:56:29.0164321Z","location":"Central US","requestId":"xxxxxxx-xxx-xxxx-xxxx-xxx","operationId":"xxxxxxx-xxx-xxxx-xxxx-xxx","clientRequestId":"xxxxxxx-xxx-xxxx-xxxx-xxx","apiVersion":"beta","requestMethod":"GET","responseStatusCode":200,"tenantId":"XXXXXXX-XXX-XXXXXXX-XXXXX","durationMs":305512,"responseSizeBytes":1398,"signInActivityId":"Xxxxxxxxx","roles":"Directory.Read.All EduRoster.Read.All EduRoster.ReadWrite.All Group.ReadWrite.All MultiTenantOrganization.Read.All OnlineMeetings.Read.All Organization.Read.All Policy.Read.All ProfilePhoto.Read.All Sites.ReadWrite.All TeamsActivity.Send TeamsAppInstallation.ReadForChat.All TeamsAppInstallation.ReadForTeam.All TeamsAppInstallation.ReadForUser.All User.Invite.All User.Read.All","appId":"appxxxxxxxxxxxxxxxxxxxxx","UserPrincipalObjectID":"xxxxxxxxxxxxxxx","scopes":"","identityProvider":"https://sts.windows.net/XXXXXXX-XXX-XXXXXXX-XXXXX/","clientAuthMethod":"2","wids":"widsxxxxxxxxxxxxx","C_Idtyp":"app","C_Iat":"1736317474","ipAddress":"1.2.3.4","userAgent":"TeamsMiddleTier/1.0a$*+","requestUri":"https://graph.microsoft.com/beta/XXXXXXX-XXX-XXXXXXX-XXXXX/settings","atContentP":"","atContentH":"","servicePrincipalId":"xxxxxxxxxxxxxxx","tokenIssuedAt":"2025-01-08T06:24:34.0000000Z"},"tenantId":"XXXXXXX-XXX-XXXXXXX-XXXXX"}
Microsoft/microsoft-intune/tests/Warning2.json	{"time":"2025-01-08T14:00:51.6877532Z","resourceId":"/tenants/xxxxx-xxxxx-xxxxxx-xxxxxx/providers/Microsoft.aadiam","operationName":"Sign-in activity","operationVersion":"1.0","category":"NonInteractiveUserSignInLogs","tenantId":"xxxxx-xxxxx-xxxxxx-xxxxxx","resultType":"0","resultSignature":"None","durationMs":0,"callerIpAddress":"1.2.3.5","correlationId":"000-000-000-012123","identity":"Test","Level":4,"location":"FR","properties":{"id":"xxx-xxx-xxx-xxx","createdDateTime":"2025-01-08T13:59:10.0962652+00:00","userDisplayName":"Test","userPrincipalName":"[email protected]","userId":"00000000000-0000-0000-0000-0000000000","appId":"00000-0000-0000-0000-00000000000","appDisplayName":"Microsoft Edge","ipAddress":"1.2.3.5","status":{"errorCode":0},"clientAppUsed":"Mobile Apps and Desktop clients","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045","deviceDetail":{"deviceId":"deviceid","displayName":"ORY2-EUD-D70007","operatingSystem":"Windows10","browser":"Edge 18.19045","isCompliant":true,"isManaged":true,"trustType":"Hybrid Azure AD joined"},"location":{"city":"Aubervilliers","state":"Seine-Saint-Denis","countryOrRegion":"FR","geoCoordinates":{"latitude":48.91482162475586,"longitude":2.3812100887298584}},"correlationId":"000-000-000-012123","conditionalAccessStatus":"success","appliedConditionalAccessPolicies":[{"id":"aacab96d-2e38-4536-8f08-edd1520f9d28","displayName":"User Only","enforcedGrantControls":["RequireInWeboMfa"],"enforcedSessionControls":["ResiliencyDefaults"],"result":"success","conditionsSatisfied":7,"conditionsNotSatisfied":0},{"id":"a3d82ad4-3be5-455f-9b76-1223dd4b3e4c","displayName":"Admin_Access_Cloud_Apps","enforcedGrantControls":["Mfa"],"enforcedSessionControls":["PersistentBrowserSessionMode"],"result":"notApplied","conditionsSatisfied":1,"conditionsNotSatisfied":2},{"id":"32a2550d-dca7-4363-ae4c-b1210ba3eb15","displayName":"Microsoft-managed: Multifactor authentication for admins accessing Microsoft Admin Portals","enforcedGrantControls":[],"enforcedSessionControls":[],"result":"notEnabled","conditionsSatisfied":0,"conditionsNotSatisfied":0},{"id":"fd313848-6ab9-4443-abb5-e9e603124473","displayName":"User Only Mobile","enforcedGrantControls":[],"enforcedSessionControls":[],"result":"notEnabled","conditionsSatisfied":0,"conditionsNotSatisfied":0},{"id":"c88b0148-fbd1-41e0-a7ba-202237ae4c2e","displayName":"SVC-Accounts-MFA-MS","enforcedGrantControls":[],"enforcedSessionControls":[],"result":"notEnabled","conditionsSatisfied":0,"conditionsNotSatisfied":0},{"id":"98517482-7ec9-4c45-837d-bc0ecd35eeed","displayName":"[SharePoint admin center]Use app-enforced Restrictions for browser access - 2024/08/23","enforcedGrantControls":[],"enforcedSessionControls":[],"result":"notEnabled","conditionsSatisfied":0,"conditionsNotSatisfied":0},{"id":"eafcade5-ed5e-4e4a-9e28-cf29168b5d65","displayName":"[SharePoint admin center]Block access from apps on unmanaged devices - 2024/08/27","enforcedGrantControls":[],"enforcedSessionControls":[],"result":"notEnabled","conditionsSatisfied":0,"conditionsNotSatisfied":0},{"id":"a3f2f310-8ab5-432e-a1d9-1e0580de47b1","displayName":"[SharePoint admin center]Use app-enforced Restrictions for browser access - 2024/08/27","enforcedGrantControls":[],"enforcedSessionControls":[],"result":"notEnabled","conditionsSatisfied":0,"conditionsNotSatisfied":0},{"id":"8e649830-3abb-4bf7-80c5-8e32edfc3ccc","displayName":"[SharePoint admin center]Block access from apps on unmanaged devices - 2024/08/27","enforcedGrantControls":[],"enforcedSessionControls":[],"result":"notEnabled","conditionsSatisfied":0,"conditionsNotSatisfied":0},{"id":"297d9858-e260-4d98-9ce7-b7af3b3d678e","displayName":"BlockNonAdminListUsers","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"result":"notApplied","conditionsSatisfied":0,"conditionsNotSatisfied":1},{"id":"46a22b41-d774-4929-aa86-d360ac806bcf","displayName":"Require compliant or hybrid Azure AD joined device or multifactor authentication for all users","enforcedGrantControls":["RequireCompliantDevice"],"enforcedSessionControls":[],"result":"reportOnlySuccess","conditionsSatisfied":3,"conditionsNotSatisfied":0}],"authenticationContextClassReferences":[],"originalRequestId":"xxx-xxx-xxx-xxx","isInteractive":false,"tokenIssuerName":"","tokenIssuerType":"AzureAD","authenticationProcessingDetails":[{"key":"Legacy TLS (TLS 1.0, 1.1, 3DES)","value":"False"},{"key":"Oauth Scope Info","value":"["Files.ReadWrite","Files.ReadWrite.All","Notes.Create","Notes.ReadWrite","Notes.ReadWrite.All","People.Read","profile","User.Read","User.ReadBasic.All"]"},{"key":"Is CAE Token","value":"False"}],"networkLocationDetails":[{"networkType":"namedNetwork","networkNames":["Everaxis FR"]},{"networkType":"trustedNamedLocation","networkNames":["Everaxis Internal"]}],"clientCredentialType":"none","processingTimeInMilliseconds":94,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","riskEventTypes":[],"riskEventTypes_v2":[],"resourceDisplayName":"Microsoft Graph","resourceId":"00000003-0000-0000-c000-000000000000","resourceTenantId":"xxxxx-xxxxx-xxxxxx-xxxxxx","homeTenantId":"xxxxx-xxxxx-xxxxxx-xxxxxx","tenantId":"xxxxx-xxxxx-xxxxxx-xxxxxx","authenticationDetails":[],"authenticationRequirementPolicies":[],"sessionLifetimePolicies":[],"authenticationRequirement":"singleFactorAuthentication","servicePrincipalId":"","userType":"Member","flaggedForReview":false,"isTenantRestricted":false,"autonomousSystemNumber":3215,"crossTenantAccessType":"none","privateLinkDetails":{},"ssoExtensionVersion":"","uniqueTokenIdentifier":"uidtokenxxxxxxx","authenticationStrengths":[],"incomingTokenType":"primaryRefreshToken","authenticationProtocol":"none","appServicePrincipalId":null,"resourceServicePrincipalId":"xxxxx-xxxxx-xxxxx-xxxxx","rngcStatus":0,"signInTokenProtectionStatus":"none","tokenProtectionStatusDetails":{"signInSessionStatus":"bound","signInSessionStatusCode":0},"originalTransferMethod":"none","isThroughGlobalSecureAccess":false,"conditionalAccessAudiences":[{"applicationId":"00000003-0000-0000-0000-000000000000","audienceReasons":"none"},{"applicationId":"0000000000-0000-0000-0000-000000000","audienceReasons":"none"},{"applicationId":"00000002-0000-0000-c000-000000000000","audienceReasons":"none"}],"sessionId":"xxxxx-0000-0000-00000-000000xxxxxx"}}

[squioc]

I suggest testing the category against the ones expected, not against the ones non-expected:

Suggested change

	filter: "{{json_event.message.category not in ['MicrosoftGraphActivityLogs', 'NonInteractiveUserSignInLogs']}}"
	filter: "{{json_event.message.category in ['AuditLogs', 'DeviceComplianceOrg', 'Devices', 'OperationalLogs']}}"