Kafdrop: Topic: logstash-local-windows: Messages

Topic Messages: logstash-local-windows

First Offset: 0 Last Offset: 18869 Size: 18869

Partition

Offset

# messages

Message format

Protobuf descriptor

Protobuf message type name

Offset: 0 Key: Timestamp: 2026-05-06 04:53:43.714 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.197\n\tSource Port:\t\t45902\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"1e340f1ba99aabedb6ba723d3d9d5ba11d7ed84ca30ff67bb2dc93265e1fc782","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:09:04.185Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:02.651Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1008}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5152,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Failure"],"opcode":"Info","record_id":204127292,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"45902","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.197","Protocol":"17","LayerName":"%%14597","Application":"-","LayerRTID":"13","FilterRTID":"67801","Direction":"%%14592"},"channel":"Security"}}

Offset: 1 Key: Timestamp: 2026-05-06 04:53:43.715 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.197\n\tSource Port:\t\t45902\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"1e340f1ba99aabedb6ba723d3d9d5ba11d7ed84ca30ff67bb2dc93265e1fc782","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:09:04.185Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:02.651Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1008}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5152,"api":"wineventlog","opcode":"Info","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127293,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.197","LayerName":"%%14597","Protocol":"17","Application":"-","LayerRTID":"13","FilterRTID":"67801","SourcePort":"45902"},"channel":"Security"}}

Offset: 2 Key: Timestamp: 2026-05-06 04:53:43.715 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:04:30.712Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:29.480Z","agent":{"name":"w2016ad-n25","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1756}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":253526055,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"W2016AD-N25$","SubjectUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 3 Key: Timestamp: 2026-05-06 04:53:43.715 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.196\n\tSource Port:\t\t41807\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"3c0dee3dbdc8565097384cc8cdbc889fe46f51b786ea28610447469ffa05bb90","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:09:07.213Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:06.075Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1416}},"event_id":5152,"opcode":"Info","keywords":["Audit Failure"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127294,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.196","Protocol":"17","LayerName":"%%14597","Application":"-","LayerRTID":"13","FilterRTID":"67801","SourcePort":"41807"},"channel":"Security"}}

Offset: 4 Key: Timestamp: 2026-05-06 04:53:43.715 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2668\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t59364\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"57aecd948873ede59ba08b900c20991a3cf00eb653b0e571f9d21f692b6418a4","action":"Filtering Platform Connection","created":"2026-05-05T08:09:14.241Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:12.714Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":852}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5158,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","keywords":["Audit Success"],"record_id":204127295,"task":"Filtering Platform Connection","event_data":{"LayerName":"%%14608","Protocol":"6","ProcessId":"2668","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","LayerRTID":"36","SourceAddress":"0.0.0.0","FilterRTID":"0","SourcePort":"59364"},"channel":"Security"}}

Offset: 5 Key: Timestamp: 2026-05-06 04:53:43.793 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:04:30.712Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:29.480Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1756}},"event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":253526056,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"W2016AD-N25$","SubjectUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 6 Key: Timestamp: 2026-05-06 04:53:43.793 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2668\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t59364\n\tDestination Address:\t172.30.2.163\n\tDestination Port:\t\t1514\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67111\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"873a0455d35a0c8e59f58be4d5643f2a0e03d8615d389ad6428607b5fe4db394","action":"Filtering Platform Connection","created":"2026-05-05T08:09:14.241Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:12.714Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":852}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5156,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"version":1,"api":"wineventlog","record_id":204127296,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14593","DestPort":"1514","DestAddress":"172.30.2.163","SourceAddress":"172.30.4.205","ProcessID":"2668","LayerName":"%%14611","Protocol":"6","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","RemoteUserID":"S-1-0-0","LayerRTID":"48","FilterRTID":"67111","SourcePort":"59364"},"channel":"Security"}}

Offset: 7 Key: Timestamp: 2026-05-06 04:53:43.793 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:04:30.712Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:29.480Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1756}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":253526057,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"W2016AD-N25$","SubjectUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 8 Key: Timestamp: 2026-05-06 04:53:43.793 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t59364\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67096\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"3713cceaa15854ff8f5283aac4007f97527158979811412ac09480bb7115f947","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:09:17.264Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:15.713Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":1416}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5152,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Failure"],"opcode":"Info","record_id":204127297,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"59364","ProcessId":"0","DestAddress":"172.30.4.205","SourceAddress":"172.30.2.163","LayerName":"%%14601","Protocol":"6","Application":"-","LayerRTID":"28","FilterRTID":"67096","SourcePort":"1514"},"channel":"Security"}}

Offset: 9 Key: Timestamp: 2026-05-06 04:53:43.793 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:04:30.712Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:29.481Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1756}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"record_id":253526058,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"W2016AD-N25$","SubjectUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 10 Key: Timestamp: 2026-05-06 04:53:43.793 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:09:19.288Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:17.939Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1416}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":204127298,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 11 Key: Timestamp: 2026-05-06 04:53:43.793 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:09:19.288Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:17.939Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1416}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204127299,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 12 Key: Timestamp: 2026-05-06 04:53:43.793 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:09:19.288Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:17.942Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1416}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127300,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 13 Key: Timestamp: 2026-05-06 04:53:43.793 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:09:19.288Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:17.950Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1416}},"event_id":4703,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":204127301,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 14 Key: Timestamp: 2026-05-06 04:53:43.793 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:09:19.288Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:17.951Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1416}},"event_id":4703,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204127302,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 15 Key: Timestamp: 2026-05-06 04:53:43.793 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:09:19.288Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:17.951Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1416}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"opcode":"Info","api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127303,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 16 Key: Timestamp: 2026-05-06 04:53:43.793 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:09:19.288Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:17.952Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1416}},"event_id":4703,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204127304,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 17 Key: Timestamp: 2026-05-06 04:53:43.793 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2488\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t55967\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"d444ed53fda490b49610d53f3a9e3bf19a885d267903c0894d58bd4d6e8b30af","action":"Filtering Platform Connection","created":"2026-05-05T08:04:36.763Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:35.269Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":2748}},"event_id":5158,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":253526059,"task":"Filtering Platform Connection","event_data":{"Protocol":"6","LayerName":"%%14608","ProcessId":"2488","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","LayerRTID":"36","SourceAddress":"0.0.0.0","FilterRTID":"0","SourcePort":"55967"},"channel":"Security"}}

Offset: 18 Key: Timestamp: 2026-05-06 04:53:43.794 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:09:19.288Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:17.963Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1416}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127305,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 19 Key: Timestamp: 2026-05-06 04:53:43.794 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2488\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t55967\n\tDestination Address:\t172.30.2.163\n\tDestination Port:\t\t1514\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67057\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"96ca84701ae9c3c620617677c74fce1e4e955d163b9a9fa834c285e1341c6725","action":"Filtering Platform Connection","created":"2026-05-05T08:04:36.763Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:35.269Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":2748}},"event_id":5156,"opcode":"Info","api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"record_id":253526060,"task":"Filtering Platform Connection","event_data":{"SourcePort":"55967","DestPort":"1514","DestAddress":"172.30.2.163","SourceAddress":"172.30.4.206","ProcessID":"2488","LayerName":"%%14611","Protocol":"6","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"48","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","FilterRTID":"67057","Direction":"%%14593"},"channel":"Security"}}

Offset: 20 Key: Timestamp: 2026-05-06 04:53:43.794 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:09:19.288Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:17.963Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":1416}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"api":"wineventlog","opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127306,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 21 Key: Timestamp: 2026-05-06 04:53:43.794 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.196\n\tSource Port:\t\t41807\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67683\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"3354b778926a79b0d6f9f99c2082cb96ff54936b0374dac14aa3eed93bf9d056","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:04:36.763Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:36.067Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":2748}},"event_id":5152,"opcode":"Info","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":253526061,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.196","LayerName":"%%14597","Protocol":"17","Application":"-","LayerRTID":"13","FilterRTID":"67683","SourcePort":"41807"},"channel":"Security"}}

Offset: 22 Key: Timestamp: 2026-05-06 04:53:43.794 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:09:19.288Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:17.963Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1416}},"event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204127307,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 23 Key: Timestamp: 2026-05-06 04:53:43.794 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:09:19.288Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:17.964Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1416}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"api":"wineventlog","record_id":204127308,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 24 Key: Timestamp: 2026-05-06 04:53:43.794 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t59364\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67096\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"3713cceaa15854ff8f5283aac4007f97527158979811412ac09480bb7115f947","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:09:19.288Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:18.723Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1416}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5152,"api":"wineventlog","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":204127309,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"1514","DestPort":"59364","ProcessId":"0","DestAddress":"172.30.4.205","SourceAddress":"172.30.2.163","LayerName":"%%14601","Protocol":"6","Application":"-","LayerRTID":"28","FilterRTID":"67096","Direction":"%%14592"},"channel":"Security"}}

Offset: 25 Key: Timestamp: 2026-05-06 04:53:43.794 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t928\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\svchost.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t59359\n\tDestination Address:\tfe80::6c1c:1afd:b16:ecb9\n\tDestination Port:\t\t135\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"78c2eeb64c03dd09dd912d646fcd3e835f1731ac1d716c2d58902d7817a3eb45","action":"Filtering Platform Connection","created":"2026-05-05T08:09:21.301Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:19.367Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1416}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5156,"api":"wineventlog","opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"record_id":204127310,"task":"Filtering Platform Connection","event_data":{"SourcePort":"59359","DestPort":"135","DestAddress":"fe80::6c1c:1afd:b16:ecb9","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","ProcessID":"928","LayerName":"%%14610","Protocol":"6","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"46","Application":"\\device\\harddiskvolume2\\windows\\system32\\svchost.exe","FilterRTID":"65786","Direction":"%%14592"},"channel":"Security"}}

Offset: 26 Key: Timestamp: 2026-05-06 04:53:43.794 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.197\n\tSource Port:\t\t47913\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"b57081bee6d2a943143a0c93ba4f29bb4effaae6c762eb316e07be28d1e76da1","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:09:24.335Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:23.185Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":4900}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5152,"api":"wineventlog","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":204127311,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"47913","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.197","Protocol":"17","LayerName":"%%14597","Application":"-","LayerRTID":"13","FilterRTID":"67801","Direction":"%%14592"},"channel":"Security"}}

Offset: 27 Key: Timestamp: 2026-05-06 04:53:43.794 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t55967\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"ed9470660cd41fa89b48a29c29d0ad52d8cd584c62aa5b12f28bd5ddd41bedab","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:04:39.787Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:38.260Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1756}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":5152,"opcode":"Info","keywords":["Audit Failure"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526062,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"55967","ProcessId":"0","DestAddress":"172.30.4.206","SourceAddress":"172.30.2.163","LayerName":"%%14601","Protocol":"6","Application":"-","LayerRTID":"28","FilterRTID":"67042","SourcePort":"1514"},"channel":"Security"}}

Offset: 28 Key: Timestamp: 2026-05-06 04:53:43.794 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.197\n\tSource Port:\t\t47913\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"b57081bee6d2a943143a0c93ba4f29bb4effaae6c762eb316e07be28d1e76da1","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:09:24.335Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:23.185Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":4900}},"event_id":5152,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Failure"],"opcode":"Info","record_id":204127312,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"47913","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.197","Protocol":"17","LayerName":"%%14597","Application":"-","LayerRTID":"13","FilterRTID":"67801","Direction":"%%14592"},"channel":"Security"}}

Offset: 29 Key: Timestamp: 2026-05-06 04:53:43.796 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t660\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::cd46:3442:b9b4:26f4\n\tSource Port:\t\t55787\n\tDestination Address:\tfe80::cd46:3442:b9b4:26f4\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"43287415a7fe26b2c4698b6e47829845b0e4894d490c1d0495015d37444f2e46","action":"Filtering Platform Connection","created":"2026-05-05T08:04:41.806Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:40.101Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":2748}},"computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":5156,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"keywords":["Audit Success"],"opcode":"Info","record_id":253526063,"task":"Filtering Platform Connection","event_data":{"SourcePort":"55787","DestPort":"389","DestAddress":"fe80::cd46:3442:b9b4:26f4","SourceAddress":"fe80::cd46:3442:b9b4:26f4","ProcessID":"660","Protocol":"6","LayerName":"%%14610","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"46","RemoteUserID":"S-1-0-0","FilterRTID":"65786","Direction":"%%14592"},"channel":"Security"}}

Offset: 30 Key: Timestamp: 2026-05-06 04:53:43.796 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t59364\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67096\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"3713cceaa15854ff8f5283aac4007f97527158979811412ac09480bb7115f947","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:09:26.340Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:24.723Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":4900}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5152,"api":"wineventlog","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":204127313,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"1514","DestPort":"59364","ProcessId":"0","DestAddress":"172.30.4.205","SourceAddress":"172.30.2.163","Protocol":"6","LayerName":"%%14601","Application":"-","LayerRTID":"28","FilterRTID":"67096","Direction":"%%14592"},"channel":"Security"}}

Offset: 31 Key: Timestamp: 2026-05-06 04:53:43.796 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t55967\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"ed9470660cd41fa89b48a29c29d0ad52d8cd584c62aa5b12f28bd5ddd41bedab","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:04:42.818Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:41.270Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":2748}},"event_id":5152,"api":"wineventlog","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":253526064,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"1514","DestPort":"55967","ProcessId":"0","DestAddress":"172.30.4.206","SourceAddress":"172.30.2.163","Protocol":"6","LayerName":"%%14601","Application":"-","LayerRTID":"28","FilterRTID":"67042","Direction":"%%14592"},"channel":"Security"}}

Offset: 32 Key: Timestamp: 2026-05-06 04:53:43.796 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1514\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t55967\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67042\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"ed9470660cd41fa89b48a29c29d0ad52d8cd584c62aa5b12f28bd5ddd41bedab","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:04:48.862Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:47.280Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3088}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5152,"opcode":"Info","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":253526065,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"1514","DestPort":"55967","ProcessId":"0","DestAddress":"172.30.4.206","SourceAddress":"172.30.2.163","Protocol":"6","LayerName":"%%14601","Application":"-","LayerRTID":"28","FilterRTID":"67042","Direction":"%%14592"},"channel":"Security"}}

Offset: 33 Key: Timestamp: 2026-05-06 04:53:43.796 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t684\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t59132\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"93506dfb3abecd4fe8f124b5dc22f381e7878dc2c3f8645da1e0cb83f73c9a8e","action":"Filtering Platform Connection","created":"2026-05-05T08:09:30.377Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:29.224Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":852}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5156,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"version":1,"record_id":204127314,"task":"Filtering Platform Connection","event_data":{"SourcePort":"59132","DestPort":"389","DestAddress":"::1","SourceAddress":"::1","ProcessID":"684","LayerName":"%%14610","Protocol":"6","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"46","RemoteUserID":"S-1-0-0","FilterRTID":"65786","Direction":"%%14592"},"channel":"Security"}}

Offset: 34 Key: Timestamp: 2026-05-06 04:53:43.796 Headers: empty

{"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2744872422-3021103393-397187185-1104\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x1678563\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"8a8f54bc32e3d65c6a32f7e6c36e1b8d92e986a5c1a536d25d33828370b98196","action":"Logoff","created":"2026-05-05T08:04:50.886Z","code":4634,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:04:49.389Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":660,"thread":{"id":2484}},"event_id":4634,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":253526066,"task":"Logoff","event_data":{"LogonType":"3","TargetUserName":"WIN-MDLQ2GQ94V9$","TargetLogonId":"0x1678563","TargetDomainName":"TDARPLATFORM","TargetUserSid":"S-1-5-21-2744872422-3021103393-397187185-1104"},"channel":"Security"}}

Offset: 35 Key: Timestamp: 2026-05-06 04:53:43.796 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.196\n\tSource Port:\t\t41807\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"3c0dee3dbdc8565097384cc8cdbc889fe46f51b786ea28610447469ffa05bb90","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:09:37.434Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:36.076Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":852}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5152,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Failure"],"opcode":"Info","record_id":204127315,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"41807","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.196","LayerName":"%%14597","Protocol":"17","Application":"-","LayerRTID":"13","FilterRTID":"67801","Direction":"%%14592"},"channel":"Security"}}

Offset: 36 Key: Timestamp: 2026-05-06 04:53:43.796 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:09:39.456Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:09:37.953Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1008}},"event_id":4703,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204127316,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 37 Key: Timestamp: 2026-05-06 04:53:44.510 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:10:09.712Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.656Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3948}},"event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":253526744,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"W2016AD-N25$","TargetUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 38 Key: Timestamp: 2026-05-06 04:53:44.510 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.197\n\tSource Port:\t\t59048\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"e9935b167a8640bdc3dfc285634264fb924287c9537d300ade5b0d09b041d83b","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:14:33.002Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:31.755Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":852}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5152,"opcode":"Info","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":204128108,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.197","LayerName":"%%14597","Protocol":"17","Application":"-","LayerRTID":"13","FilterRTID":"67801","SourcePort":"59048"},"channel":"Security"}}

Offset: 39 Key: Timestamp: 2026-05-06 04:53:44.511 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:10:09.712Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.658Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3948}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"api":"wineventlog","record_id":253526745,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"W2016AD-N25$","TargetUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 40 Key: Timestamp: 2026-05-06 04:53:44.511 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.197\n\tSource Port:\t\t1900\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t59048\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"b25c874534914f36240700f9c0465c41684bf5656a8666634306ecd025c199ad","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:14:33.003Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:31.755Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":852}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5152,"api":"wineventlog","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":204128109,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"59048","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.197","Protocol":"17","LayerName":"%%14597","Application":"-","LayerRTID":"13","FilterRTID":"67801","SourcePort":"1900"},"channel":"Security"}}

Offset: 41 Key: Timestamp: 2026-05-06 04:53:44.511 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:10:10.735Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.666Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3948}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"opcode":"Info","keywords":["Audit Success"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526746,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"W2016AD-N25$","SubjectUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 42 Key: Timestamp: 2026-05-06 04:53:44.511 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t1064\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\svchost.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t123\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t123\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67111\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"0255da48e69395d34af58511ab9e5187489f73a4b415469fcf2febd499f3d073","action":"Filtering Platform Connection","created":"2026-05-05T08:14:33.003Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:32.284Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":852}},"event_id":5156,"api":"wineventlog","keywords":["Audit Success"],"version":1,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204128110,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14593","DestPort":"123","DestAddress":"172.30.4.206","SourceAddress":"172.30.4.205","ProcessID":"1064","Protocol":"17","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"48","Application":"\\device\\harddiskvolume2\\windows\\system32\\svchost.exe","FilterRTID":"67111","SourcePort":"123"},"channel":"Security"}}

Offset: 43 Key: Timestamp: 2026-05-06 04:53:44.511 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:10:10.735Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.667Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3948}},"event_id":4703,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","keywords":["Audit Success"],"record_id":253526747,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"W2016AD-N25$","SubjectUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 44 Key: Timestamp: 2026-05-06 04:53:44.511 Headers: empty

{"message":"An operation was performed on an object.\n\nSubject :\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tLOCAL SERVICE\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E5\n\nObject:\n\tObject Server:\t\tLSA\n\tObject Type:\t\tSecretObject\n\tObject Name:\t\tPolicy\\Secrets\\$MACHINE.ACC\n\tHandle ID:\t\t0x1d19aed1950\n\nOperation:\n\tOperation Type:\t\tQuery\n\tAccesses:\t\tQuery secret value\n\t\t\t\t\n\tAccess Mask:\t\t0x2\n\tProperties:\t\t-\n\nAdditional Information:\n\tParameter 1:\t\t-\n\tParameter 2:\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"da9d1b727ac285de5686a311751a910ef7cbefb9816aa82cc37c39549767f954","action":"Other Object Access Events","created":"2026-05-05T08:14:33.003Z","code":4662,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:32.297Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":684,"thread":{"id":2124}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4662,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204128111,"task":"Other Object Access Events","event_data":{"SubjectUserName":"LOCAL SERVICE","SubjectDomainName":"NT AUTHORITY","SubjectUserSid":"S-1-5-19","SubjectLogonId":"0x3e5","HandleId":"0x1d19aed1950","ObjectName":"Policy\\Secrets\\$MACHINE.ACC","AdditionalInfo2":"-","Properties":"-","ObjectType":"SecretObject","ObjectServer":"LSA","OperationType":"Query","AdditionalInfo":"-","AccessList":"%%5649\n\t\t\t\t","AccessMask":"0x2"},"channel":"Security"}}

Offset: 45 Key: Timestamp: 2026-05-06 04:53:44.511 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:10:10.735Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.667Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3948}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"record_id":253526748,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"W2016AD-N25$","TargetUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 46 Key: Timestamp: 2026-05-06 04:53:44.511 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2668\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t59394\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"1801327dc3a03bd44ebfa137018b6cc9903a85c7ee7ccdd9bd1c83b05b737f56","action":"Filtering Platform Connection","created":"2026-05-05T08:14:36.027Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:34.041Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":852}},"event_id":5158,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":204128112,"task":"Filtering Platform Connection","event_data":{"LayerName":"%%14608","Protocol":"6","ProcessId":"2668","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","LayerRTID":"36","SourceAddress":"0.0.0.0","FilterRTID":"0","SourcePort":"59394"},"channel":"Security"}}

Offset: 47 Key: Timestamp: 2026-05-06 04:53:44.511 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:10:10.735Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.668Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3948}},"event_id":4703,"api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"record_id":253526749,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"W2016AD-N25$","SubjectUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 48 Key: Timestamp: 2026-05-06 04:53:44.511 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2668\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t59394\n\tDestination Address:\t172.30.2.163\n\tDestination Port:\t\t1515\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67111\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"d64770a6fa110664782f404fb5f8b604a378049a985836065f8167a536c3299a","action":"Filtering Platform Connection","created":"2026-05-05T08:14:36.027Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:34.041Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":852}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5156,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"api":"wineventlog","keywords":["Audit Success"],"record_id":204128113,"task":"Filtering Platform Connection","event_data":{"SourcePort":"59394","DestPort":"1515","DestAddress":"172.30.2.163","SourceAddress":"172.30.4.205","ProcessID":"2668","LayerName":"%%14611","Protocol":"6","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\program files (x86)\\ossec-agent\\wazuh-agent.exe","RemoteUserID":"S-1-0-0","LayerRTID":"48","FilterRTID":"67111","Direction":"%%14593"},"channel":"Security"}}

Offset: 49 Key: Timestamp: 2026-05-06 04:53:44.511 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t660\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::cd46:3442:b9b4:26f4\n\tSource Port:\t\t55788\n\tDestination Address:\tfe80::cd46:3442:b9b4:26f4\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"ccb2ff4257a6880dfb972870df258cdcf9c8c704492c54d40a3ee3d5bdd7492f","action":"Filtering Platform Connection","created":"2026-05-05T08:10:10.735Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.847Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3948}},"event_id":5156,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"opcode":"Info","keywords":["Audit Success"],"record_id":253526750,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14592","DestPort":"389","DestAddress":"fe80::cd46:3442:b9b4:26f4","SourceAddress":"fe80::cd46:3442:b9b4:26f4","ProcessID":"660","Protocol":"6","LayerName":"%%14610","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"46","FilterRTID":"65786","SourcePort":"55788"},"channel":"Security"}}

Offset: 50 Key: Timestamp: 2026-05-06 04:53:44.511 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.196\n\tSource Port:\t\t41807\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67801\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"3c0dee3dbdc8565097384cc8cdbc889fe46f51b786ea28610447469ffa05bb90","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:14:38.035Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:36.098Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":852}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5152,"opcode":"Info","keywords":["Audit Failure"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204128114,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"41807","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.196","LayerName":"%%14597","Protocol":"17","Application":"-","LayerRTID":"13","FilterRTID":"67801","Direction":"%%14592"},"channel":"Security"}}

Offset: 51 Key: Timestamp: 2026-05-06 04:53:44.511 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2476\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t55996\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"d5e2e5c613d1e5d889791cc630ad562aaf3c50b09fd0ef89d77255cdea3fbe54","action":"Filtering Platform Connection","created":"2026-05-05T08:10:10.735Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.849Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3948}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5158,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","record_id":253526751,"task":"Filtering Platform Connection","event_data":{"Protocol":"6","LayerName":"%%14608","ProcessId":"2476","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","LayerRTID":"38","SourceAddress":"::","FilterRTID":"0","SourcePort":"55996"},"channel":"Security"}}

Offset: 52 Key: Timestamp: 2026-05-06 04:53:44.511 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.2.163\n\tSource Port:\t\t1515\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t59394\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67096\n\tLayer Name:\t\tICMP Error\n\tLayer Run-Time ID:\t28","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"f37520d04ef7f67407449ec18e764df213674e343dee650b1ce353751278ee1f","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:14:38.035Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:37.035Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":852}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5152,"api":"wineventlog","keywords":["Audit Failure"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204128115,"task":"Filtering Platform Packet Drop","event_data":{"SourcePort":"1515","DestPort":"59394","ProcessId":"0","DestAddress":"172.30.4.205","SourceAddress":"172.30.2.163","Protocol":"6","LayerName":"%%14601","Application":"-","LayerRTID":"28","FilterRTID":"67096","Direction":"%%14592"},"channel":"Security"}}

Offset: 53 Key: Timestamp: 2026-05-06 04:53:44.511 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2476\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::cd46:3442:b9b4:26f4\n\tSource Port:\t\t55996\n\tDestination Address:\tfe80::cd46:3442:b9b4:26f4\n\tDestination Port:\t\t135\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"32baf1e4d25f07a89ff36b44635f133610afcede562e2087cb400b5c09b67032","action":"Filtering Platform Connection","created":"2026-05-05T08:10:10.735Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.849Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3948}},"event_id":5156,"api":"wineventlog","version":1,"keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526752,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14593","DestPort":"135","DestAddress":"fe80::cd46:3442:b9b4:26f4","SourceAddress":"fe80::cd46:3442:b9b4:26f4","ProcessID":"2476","Protocol":"6","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"50","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","FilterRTID":"65788","SourcePort":"55996"},"channel":"Security"}}

Offset: 54 Key: Timestamp: 2026-05-06 04:53:44.511 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t138\n\tDestination Address:\t172.30.4.255\n\tDestination Port:\t\t138\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t66960\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"d368a0b3ad98ac77d8acbaa358bd055749b3e21397aae055cb972d55a1a51c3e","action":"Filtering Platform Connection","created":"2026-05-05T08:14:39.056Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:37.721Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":852}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5156,"api":"wineventlog","keywords":["Audit Success"],"version":1,"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":204128116,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14592","DestPort":"138","DestAddress":"172.30.4.255","SourceAddress":"172.30.4.206","ProcessID":"4","Protocol":"17","LayerName":"%%14610","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","Application":"System","LayerRTID":"44","FilterRTID":"66960","SourcePort":"138"},"channel":"Security"}}

Offset: 55 Key: Timestamp: 2026-05-06 04:53:44.511 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t900\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\svchost.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::cd46:3442:b9b4:26f4\n\tSource Port:\t\t55996\n\tDestination Address:\tfe80::cd46:3442:b9b4:26f4\n\tDestination Port:\t\t135\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"d2ac90e144143440a8196f0e6bc5e441313cc1614b46f6809134bbe69257c75b","action":"Filtering Platform Connection","created":"2026-05-05T08:10:10.735Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.850Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3948}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5156,"api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"version":1,"record_id":253526753,"task":"Filtering Platform Connection","event_data":{"SourcePort":"55996","DestPort":"135","DestAddress":"fe80::cd46:3442:b9b4:26f4","SourceAddress":"fe80::cd46:3442:b9b4:26f4","ProcessID":"900","LayerName":"%%14610","Protocol":"6","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\svchost.exe","LayerRTID":"46","RemoteUserID":"S-1-0-0","FilterRTID":"65786","Direction":"%%14592"},"channel":"Security"}}

Offset: 56 Key: Timestamp: 2026-05-06 04:53:44.512 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:14:39.056Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:38.070Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":852}},"event_id":4703,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","keywords":["Audit Success"],"record_id":204128117,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 57 Key: Timestamp: 2026-05-06 04:53:44.512 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:14:39.056Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:38.070Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":852}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":204128118,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 58 Key: Timestamp: 2026-05-06 04:53:44.512 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t660\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::cd46:3442:b9b4:26f4\n\tSource Port:\t\t54778\n\tDestination Address:\tfe80::cd46:3442:b9b4:26f4\n\tDestination Port:\t\t49670\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"3cf27d395b3e807d6fbf01bccd81a9315e6e2cb0913fae4066a8c25c79d9f517","action":"Filtering Platform Connection","created":"2026-05-05T08:10:10.735Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.850Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3948}},"event_id":5156,"api":"wineventlog","opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"version":1,"record_id":253526754,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14592","DestPort":"49670","DestAddress":"fe80::cd46:3442:b9b4:26f4","SourceAddress":"fe80::cd46:3442:b9b4:26f4","ProcessID":"660","Protocol":"6","LayerName":"%%14610","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"46","RemoteUserID":"S-1-0-0","FilterRTID":"65786","SourcePort":"54778"},"channel":"Security"}}

Offset: 59 Key: Timestamp: 2026-05-06 04:53:44.512 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:14:39.056Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:38.073Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":852}},"event_id":4703,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"record_id":204128119,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 60 Key: Timestamp: 2026-05-06 04:53:44.512 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t660\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::cd46:3442:b9b4:26f4\n\tSource Port:\t\t55790\n\tDestination Address:\tfe80::cd46:3442:b9b4:26f4\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"b8033484e28e0f9fd7554abfbda7cd726bc7036cd3237631344cc7896b51194c","action":"Filtering Platform Connection","created":"2026-05-05T08:10:10.735Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.852Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3948}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":5156,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"record_id":253526755,"task":"Filtering Platform Connection","event_data":{"SourcePort":"55790","DestPort":"389","DestAddress":"fe80::cd46:3442:b9b4:26f4","SourceAddress":"fe80::cd46:3442:b9b4:26f4","ProcessID":"660","LayerName":"%%14610","Protocol":"6","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","RemoteUserID":"S-1-0-0","LayerRTID":"46","FilterRTID":"65786","Direction":"%%14592"},"channel":"Security"}}

Offset: 61 Key: Timestamp: 2026-05-06 04:53:44.512 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:14:39.057Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:38.081Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":852}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204128120,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 62 Key: Timestamp: 2026-05-06 04:53:44.514 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2476\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t55997\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"202cf245f52f4a8c9d522dc96810c02fcd450d00652e69042ab9df7064287365","action":"Filtering Platform Connection","created":"2026-05-05T08:10:10.735Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.883Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3948}},"event_id":5158,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":253526756,"task":"Filtering Platform Connection","event_data":{"Protocol":"6","LayerName":"%%14608","ProcessId":"2476","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","LayerRTID":"38","SourceAddress":"::","FilterRTID":"0","SourcePort":"55997"},"channel":"Security"}}

Offset: 63 Key: Timestamp: 2026-05-06 04:53:44.514 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:14:39.057Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:38.082Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":852}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":204128121,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 64 Key: Timestamp: 2026-05-06 04:53:44.514 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2476\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::cd46:3442:b9b4:26f4\n\tSource Port:\t\t55997\n\tDestination Address:\tfe80::cd46:3442:b9b4:26f4\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"954bb4a306a1258f96a2e4ce52215607535bc2c6c6e1f57a11a4fedb3e8c5850","action":"Filtering Platform Connection","created":"2026-05-05T08:10:10.735Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.883Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3948}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5156,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"keywords":["Audit Success"],"api":"wineventlog","record_id":253526757,"task":"Filtering Platform Connection","event_data":{"SourcePort":"55997","DestPort":"389","DestAddress":"fe80::cd46:3442:b9b4:26f4","SourceAddress":"fe80::cd46:3442:b9b4:26f4","ProcessID":"2476","Protocol":"6","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","LayerRTID":"50","RemoteUserID":"S-1-0-0","FilterRTID":"65788","Direction":"%%14593"},"channel":"Security"}}

Offset: 65 Key: Timestamp: 2026-05-06 04:53:44.514 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:14:39.057Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:38.082Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":852}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"opcode":"Info","api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204128122,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 66 Key: Timestamp: 2026-05-06 04:53:44.514 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t660\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::cd46:3442:b9b4:26f4\n\tSource Port:\t\t55997\n\tDestination Address:\tfe80::cd46:3442:b9b4:26f4\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"e20d51fb8ca7b714ce7a0d7b6d94fc47ed61a88768c5e74e80a8632072f17d6d","action":"Filtering Platform Connection","created":"2026-05-05T08:10:10.735Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.883Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3948}},"event_id":5156,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"opcode":"Info","record_id":253526758,"task":"Filtering Platform Connection","event_data":{"SourcePort":"55997","DestPort":"389","DestAddress":"fe80::cd46:3442:b9b4:26f4","SourceAddress":"fe80::cd46:3442:b9b4:26f4","ProcessID":"660","LayerName":"%%14610","Protocol":"6","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"46","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","FilterRTID":"65786","Direction":"%%14592"},"channel":"Security"}}

Offset: 67 Key: Timestamp: 2026-05-06 04:53:44.515 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:14:39.057Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:38.083Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":852}},"event_id":4703,"api":"wineventlog","opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204128123,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 68 Key: Timestamp: 2026-05-06 04:53:44.515 Headers: empty

{"message":"Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x167D6B6\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"881d27bb3447541ffdd0922deb751d3c1855b64f6ffc60aba3b7aec73b6cab05","action":"Special Logon","created":"2026-05-05T08:10:10.735Z","code":4672,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.884Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":660,"thread":{"id":3540}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4672,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526759,"task":"Special Logon","event_data":{"SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","SubjectUserName":"W2016AD-N25$","SubjectLogonId":"0x167d6b6","PrivilegeList":"SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege"},"channel":"Security"}}

Offset: 69 Key: Timestamp: 2026-05-06 04:53:44.515 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:14:39.057Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:38.094Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":852}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"opcode":"Info","keywords":["Audit Success"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204128124,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 70 Key: Timestamp: 2026-05-06 04:53:44.515 Headers: empty

{"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM.CSOC\n\tLogon ID:\t\t0x167D6B6\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{A54EF9E1-8031-CC9C-11F5-10B85AC5636F}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\tfe80::cd46:3442:b9b4:26f4\n\tSource Port:\t\t55997\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"dccb8ebd48781e1070634bc36ab5cb696176eb62621e3831b1dd0eb7ecadf9f4","action":"Logon","created":"2026-05-05T08:10:10.735Z","code":4624,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.884Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":660,"thread":{"id":3540}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":4624,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":2,"api":"wineventlog","record_id":253526760,"task":"Logon","event_data":{"TargetUserName":"W2016AD-N25$","SubjectUserName":"-","ProcessId":"0x0","AuthenticationPackageName":"Kerberos","WorkstationName":"-","TransmittedServices":"-","SubjectUserSid":"S-1-0-0","TargetLinkedLogonId":"0x0","SubjectLogonId":"0x0","ElevatedToken":"%%1842","LogonType":"3","LogonProcessName":"Kerberos","KeyLength":"0","TargetDomainName":"TDARPLATFORM.CSOC","TargetUserSid":"S-1-5-18","SubjectDomainName":"-","TargetOutboundUserName":"-","TargetOutboundDomainName":"-","ProcessName":"-","ImpersonationLevel":"%%1833","LogonGuid":"{A54EF9E1-8031-CC9C-11F5-10B85AC5636F}","TargetLogonId":"0x167d6b6","LmPackageName":"-","VirtualAccount":"%%1843","IpPort":"55997","IpAddress":"fe80::cd46:3442:b9b4:26f4","RestrictedAdminMode":"-"},"channel":"Security"}}

Offset: 71 Key: Timestamp: 2026-05-06 04:53:44.515 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:14:39.057Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:38.094Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":852}},"event_id":4703,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"record_id":204128125,"task":"Token Right Adjusted Events","event_data":{"TargetUserName":"WIN-MDLQ2GQ94V9$","SubjectUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 72 Key: Timestamp: 2026-05-06 04:53:44.515 Headers: empty

{"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x167D6B6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9ea8097a3d99444cc51504b1aebc6f84603c68d7947fc5bd0121857807455292","action":"Logoff","created":"2026-05-05T08:10:10.735Z","code":4634,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.904Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":660,"thread":{"id":2484}},"event_id":4634,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","keywords":["Audit Success"],"record_id":253526762,"task":"Logoff","event_data":{"LogonType":"3","TargetUserName":"W2016AD-N25$","TargetLogonId":"0x167d6b6","TargetUserSid":"S-1-5-18","TargetDomainName":"TDARPLATFORM"},"channel":"Security"}}

Offset: 73 Key: Timestamp: 2026-05-06 04:53:44.515 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:14:39.057Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:38.095Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":852}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":4703,"opcode":"Info","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"record_id":204128126,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 74 Key: Timestamp: 2026-05-06 04:53:44.515 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2476\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t55998\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9b875279329b28c5abc1e75ee0d51d4e232303d0e4f96f1e75b7baac12e564cf","action":"Filtering Platform Connection","created":"2026-05-05T08:10:10.735Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.906Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3948}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5158,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"record_id":253526763,"task":"Filtering Platform Connection","event_data":{"Protocol":"6","LayerName":"%%14608","ProcessId":"2476","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","LayerRTID":"38","SourceAddress":"::","FilterRTID":"0","SourcePort":"55998"},"channel":"Security"}}

Offset: 75 Key: Timestamp: 2026-05-06 04:53:44.515 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x124\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9bc7c5f2ac31ab3658a5fd52924314bfdb24b2a602e67e1e82efdb87cd26e038","action":"Token Right Adjusted Events","created":"2026-05-05T08:14:39.057Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:38.096Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":852}},"event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204128127,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"WIN-MDLQ2GQ94V9$","TargetUserName":"WIN-MDLQ2GQ94V9$","ProcessId":"0x124","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 76 Key: Timestamp: 2026-05-06 04:53:44.515 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2476\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::cd46:3442:b9b4:26f4\n\tSource Port:\t\t55998\n\tDestination Address:\tfe80::cd46:3442:b9b4:26f4\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"82071a0e88693a762c2289e103579c922e4fa058aab79fa42ccd1e007a580875","action":"Filtering Platform Connection","created":"2026-05-05T08:10:10.735Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.906Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":3948}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5156,"api":"wineventlog","version":1,"keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":253526764,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14593","DestPort":"389","DestAddress":"fe80::cd46:3442:b9b4:26f4","SourceAddress":"fe80::cd46:3442:b9b4:26f4","ProcessID":"2476","Protocol":"6","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\dfsrs.exe","LayerRTID":"50","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"55998"},"channel":"Security"}}

Offset: 77 Key: Timestamp: 2026-05-06 04:53:44.515 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t660\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\tfe80::cd46:3442:b9b4:26f4\n\tSource Port:\t\t55998\n\tDestination Address:\tfe80::cd46:3442:b9b4:26f4\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"d3538d843a81e0fc8181131bfed897caea95a3dc1ccdecd0f53c9958a898c51f","action":"Filtering Platform Connection","created":"2026-05-05T08:10:10.735Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.906Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":3948}},"event_id":5156,"api":"wineventlog","keywords":["Audit Success"],"version":1,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526765,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14592","DestPort":"389","DestAddress":"fe80::cd46:3442:b9b4:26f4","SourceAddress":"fe80::cd46:3442:b9b4:26f4","ProcessID":"660","Protocol":"6","LayerName":"%%14610","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"46","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","FilterRTID":"65786","SourcePort":"55998"},"channel":"Security"}}

Offset: 78 Key: Timestamp: 2026-05-06 04:53:44.515 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t59395\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"c0cae1db2f2ff2ffed727080417bba99514d659ad68c34f42e66728803f5ed1c","action":"Filtering Platform Connection","created":"2026-05-05T08:14:39.057Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:38.526Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":4796}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5158,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":204128128,"task":"Filtering Platform Connection","event_data":{"Protocol":"6","LayerName":"%%14608","ProcessId":"4","Application":"System","LayerRTID":"38","SourceAddress":"::","FilterRTID":"0","SourcePort":"59395"},"channel":"Security"}}

Offset: 79 Key: Timestamp: 2026-05-06 04:53:44.515 Headers: empty

{"message":"Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x167D727\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"9c3eca8f6a5660f03904bad5cd4e4b7e9c7e7581b975aa8fa0fc36630ff71b1c","action":"Special Logon","created":"2026-05-05T08:10:10.735Z","code":4672,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.907Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":660,"thread":{"id":1268}},"event_id":4672,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"api":"wineventlog","record_id":253526766,"task":"Special Logon","event_data":{"SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","SubjectUserName":"W2016AD-N25$","SubjectLogonId":"0x167d727","PrivilegeList":"SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege"},"channel":"Security"}}

Offset: 80 Key: Timestamp: 2026-05-06 04:53:44.515 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::6c1c:1afd:b16:ecb9\n\tSource Port:\t\t59395\n\tDestination Address:\tfe80::6c1c:1afd:b16:ecb9\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"a02c2b3f28e09a33a63b39f3dac4abec5139b457b8e2d13afc5192ee27c891f0","action":"Filtering Platform Connection","created":"2026-05-05T08:14:39.057Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:38.526Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":4796}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5156,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"api":"wineventlog","record_id":204128129,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14593","DestPort":"445","DestAddress":"fe80::6c1c:1afd:b16:ecb9","SourceAddress":"fe80::6c1c:1afd:b16:ecb9","ProcessID":"4","Protocol":"6","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"50","Application":"System","FilterRTID":"65788","SourcePort":"59395"},"channel":"Security"}}

Offset: 81 Key: Timestamp: 2026-05-06 04:53:44.515 Headers: empty

{"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM.CSOC\n\tLogon ID:\t\t0x167D727\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{A54EF9E1-8031-CC9C-11F5-10B85AC5636F}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\tfe80::cd46:3442:b9b4:26f4\n\tSource Port:\t\t55998\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"09c5655e07b2fd54a60eae4fa6aff0deedf4b0078043e7bb951d44b6e1b6f871","action":"Logon","created":"2026-05-05T08:10:10.736Z","code":4624,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.907Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":660,"thread":{"id":1268}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":4624,"opcode":"Info","keywords":["Audit Success"],"version":2,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526767,"task":"Logon","event_data":{"TargetUserName":"W2016AD-N25$","SubjectUserName":"-","ProcessId":"0x0","AuthenticationPackageName":"Kerberos","WorkstationName":"-","TransmittedServices":"-","SubjectUserSid":"S-1-0-0","TargetLinkedLogonId":"0x0","SubjectLogonId":"0x0","ElevatedToken":"%%1842","LogonType":"3","LogonProcessName":"Kerberos","TargetDomainName":"TDARPLATFORM.CSOC","KeyLength":"0","TargetUserSid":"S-1-5-18","SubjectDomainName":"-","TargetOutboundUserName":"-","ProcessName":"-","TargetOutboundDomainName":"-","ImpersonationLevel":"%%1833","LogonGuid":"{A54EF9E1-8031-CC9C-11F5-10B85AC5636F}","TargetLogonId":"0x167d727","LmPackageName":"-","VirtualAccount":"%%1843","IpPort":"55998","IpAddress":"fe80::cd46:3442:b9b4:26f4","RestrictedAdminMode":"-"},"channel":"Security"}}

Offset: 82 Key: Timestamp: 2026-05-06 04:53:44.515 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tSource Address:\t\t0.0.0.0\n\tSource Port:\t\t59396\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t36","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"164bfe9304a9ed626a582c07e76b7bf87e41c91ae9f92bd6db95dd0c08dbb0b7","action":"Filtering Platform Connection","created":"2026-05-05T08:14:41.089Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:39.540Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":4796}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5158,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","keywords":["Audit Success"],"record_id":204128130,"task":"Filtering Platform Connection","event_data":{"Protocol":"6","LayerName":"%%14608","ProcessId":"4","Application":"System","LayerRTID":"36","SourceAddress":"0.0.0.0","FilterRTID":"0","SourcePort":"59396"},"channel":"Security"}}

Offset: 83 Key: Timestamp: 2026-05-06 04:53:44.515 Headers: empty

{"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x167D727\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"26ffdda6cf2c1877b2aa6b7dca62e40ac02d44acce43fd2fc235b23e4cdb86d7","action":"Logoff","created":"2026-05-05T08:10:10.736Z","code":4634,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:09.913Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":660,"thread":{"id":3588}},"event_id":4634,"opcode":"Info","api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"record_id":253526769,"task":"Logoff","event_data":{"LogonType":"3","TargetUserName":"W2016AD-N25$","TargetLogonId":"0x167d727","TargetUserSid":"S-1-5-18","TargetDomainName":"TDARPLATFORM"},"channel":"Security"}}

Offset: 84 Key: Timestamp: 2026-05-06 04:53:44.515 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.197\n\tSource Port:\t\t41493\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67683\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"72d25d8043861da12c49e4aa558ceefa7ce722e86a74ece987df77500899ebe1","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:10:14.766Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:13.156Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1096}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":5152,"api":"wineventlog","keywords":["Audit Failure"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":253526770,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.197","Protocol":"17","LayerName":"%%14597","Application":"-","LayerRTID":"13","FilterRTID":"67683","SourcePort":"41493"},"channel":"Security"}}

Offset: 85 Key: Timestamp: 2026-05-06 04:53:44.516 Headers: empty

{"message":"The Windows Filtering Platform has blocked a packet.\n\nApplication Information:\n\tProcess ID:\t\t0\n\tApplication Name:\t-\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.197\n\tSource Port:\t\t41493\n\tDestination Address:\t239.255.255.250\n\tDestination Port:\t\t1900\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t67683\n\tLayer Name:\t\tTransport\n\tLayer Run-Time ID:\t13","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"72d25d8043861da12c49e4aa558ceefa7ce722e86a74ece987df77500899ebe1","action":"Filtering Platform Packet Drop","created":"2026-05-05T08:10:14.766Z","code":5152,"outcome":"failure","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:13.156Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1096}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5152,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Failure"],"api":"wineventlog","record_id":253526771,"task":"Filtering Platform Packet Drop","event_data":{"Direction":"%%14592","DestPort":"1900","ProcessId":"0","DestAddress":"239.255.255.250","SourceAddress":"172.30.4.197","Protocol":"17","LayerName":"%%14597","Application":"-","LayerRTID":"13","FilterRTID":"67683","SourcePort":"41493"},"channel":"Security"}}

Offset: 86 Key: Timestamp: 2026-05-06 04:53:44.516 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.30.4.205\n\tSource Port:\t\t59396\n\tDestination Address:\t172.30.4.205\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65789\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"e239f11bb9f2e9687ce24f079c489a8daeb6c6a18c2e28fd2d18570948892152","action":"Filtering Platform Connection","created":"2026-05-05T08:14:41.089Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:39.540Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","process":{"pid":4,"thread":{"id":4796}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5156,"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"version":1,"api":"wineventlog","record_id":204128131,"task":"Filtering Platform Connection","event_data":{"SourcePort":"59396","DestPort":"445","DestAddress":"172.30.4.205","SourceAddress":"172.30.4.205","ProcessID":"4","Protocol":"6","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"48","Application":"System","FilterRTID":"65789","Direction":"%%14593"},"channel":"Security"}}

Offset: 87 Key: Timestamp: 2026-05-06 04:53:44.516 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t2332\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t55999\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"a77fce3a13b0a2a839743067e436f5dcca2c97d6ff1a2ddc12b59b558959d6d4","action":"Filtering Platform Connection","created":"2026-05-05T08:10:16.788Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:15.022Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1096}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":5158,"opcode":"Info","keywords":["Audit Success"],"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526772,"task":"Filtering Platform Connection","event_data":{"Protocol":"6","LayerName":"%%14608","ProcessId":"2332","Application":"\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe","LayerRTID":"38","SourceAddress":"::","FilterRTID":"0","SourcePort":"55999"},"channel":"Security"}}

Offset: 88 Key: Timestamp: 2026-05-06 04:53:44.516 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2332\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t55999\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"59d443f04b16b7d2b7eb966d7f1acc0bdc0161aef88b475dba81f1c38d1735b9","action":"Filtering Platform Connection","created":"2026-05-05T08:10:16.788Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:15.022Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1096}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5156,"opcode":"Info","keywords":["Audit Success"],"version":1,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253526773,"task":"Filtering Platform Connection","event_data":{"SourcePort":"55999","DestPort":"389","DestAddress":"::1","SourceAddress":"::1","ProcessID":"2332","Protocol":"6","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"50","Application":"\\device\\harddiskvolume2\\windows\\adws\\microsoft.activedirectory.webservices.exe","FilterRTID":"65788","Direction":"%%14593"},"channel":"Security"}}

Offset: 89 Key: Timestamp: 2026-05-06 04:53:44.516 Headers: empty

{"message":"The Windows Filtering Platform has permitted a bind to a local port.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tSource Address:\t\t::\n\tSource Port:\t\t59397\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tResource Assignment\n\tLayer Run-Time ID:\t38","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"fa5cf1eef34f2da3eabeb3df4bfdd6c70fdace24d3f8575d3aef778dcfc86e1d","action":"Filtering Platform Connection","created":"2026-05-05T08:14:41.089Z","code":5158,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:39.619Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":320}},"computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":5158,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","record_id":204128132,"task":"Filtering Platform Connection","event_data":{"LayerName":"%%14608","Protocol":"6","ProcessId":"4","Application":"System","LayerRTID":"38","SourceAddress":"::","FilterRTID":"0","SourcePort":"59397"},"channel":"Security"}}

Offset: 90 Key: Timestamp: 2026-05-06 04:53:44.516 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t660\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\lsass.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t::1\n\tSource Port:\t\t55999\n\tDestination Address:\t::1\n\tDestination Port:\t\t389\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65786\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t46","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"b171b3a4662276222ff4f355a6fe1018e0e2dd98b352a7137dfe4eaa0ad72caf","action":"Filtering Platform Connection","created":"2026-05-05T08:10:16.788Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:15.022Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1096}},"event_id":5156,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"keywords":["Audit Success"],"opcode":"Info","record_id":253526774,"task":"Filtering Platform Connection","event_data":{"SourcePort":"55999","DestPort":"389","DestAddress":"::1","SourceAddress":"::1","ProcessID":"660","LayerName":"%%14610","Protocol":"6","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\lsass.exe","LayerRTID":"46","RemoteUserID":"S-1-0-0","FilterRTID":"65786","Direction":"%%14592"},"channel":"Security"}}

Offset: 91 Key: Timestamp: 2026-05-06 04:53:44.518 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::fe:3f96:53e1:fb32\n\tSource Port:\t\t59397\n\tDestination Address:\tfe80::fe:3f96:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"2d01281ea9605967d74cad330338d234ba9b351b1613acc3378b28de88433737","action":"Filtering Platform Connection","created":"2026-05-05T08:14:41.089Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:39.619Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":320}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","event_id":5156,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"api":"wineventlog","record_id":204128133,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14593","DestPort":"445","DestAddress":"fe80::fe:3f96:53e1:fb32","SourceAddress":"fe80::fe:3f96:53e1:fb32","ProcessID":"4","Protocol":"6","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","Application":"System","LayerRTID":"50","RemoteUserID":"S-1-0-0","FilterRTID":"65788","SourcePort":"59397"},"channel":"Security"}}

Offset: 92 Key: Timestamp: 2026-05-06 04:53:44.518 Headers: empty

{"message":"Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x167D825\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"61cc2d9f003d1e9c7904fba9c531b30ac3f224f3c9babe58597a3cae37a86295","action":"Special Logon","created":"2026-05-05T08:10:16.788Z","code":4672,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:10:15.024Z","agent":{"name":"w2016ad-n25","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":660,"thread":{"id":1268}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4672,"opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","api":"wineventlog","record_id":253526775,"task":"Special Logon","event_data":{"SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","SubjectUserName":"W2016AD-N25$","SubjectLogonId":"0x167d825","PrivilegeList":"SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege"},"channel":"Security"}}

Offset: 93 Key: Timestamp: 2026-05-06 04:53:44.988 Headers: empty

{"message":"A network share object was accessed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-MDLQ2GQ94V9$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x59D668\n\nNetwork Information:\t\n\tObject Type:\t\tFile\n\tSource Address:\t\tfe80::fe:3f96:53e1:fb32\n\tSource Port:\t\t59417\n\t\nShare Information:\n\tShare Name:\t\t\\\\*\\SYSVOL\n\tShare Path:\t\t\\??\\C:\\Windows\\SYSVOL\\sysvol\n\nAccess Request Information:\n\tAccess Mask:\t\t0x1\n\tAccesses:\t\tReadData (or ListDirectory)\n\t\t\t\t","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"57159a341293df9b142d854337184fa6b5cdf4e4a5aba73b36199cca47fd4b37","action":"File Share","created":"2026-05-05T08:18:00.902Z","code":5140,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:17:59.801Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1968}},"event_id":5140,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"opcode":"Info","record_id":204128597,"task":"File Share","event_data":{"ShareName":"\\\\*\\SYSVOL","SubjectUserName":"WIN-MDLQ2GQ94V9$","ShareLocalPath":"\\??\\C:\\Windows\\SYSVOL\\sysvol","SubjectDomainName":"TDARPLATFORM","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x59d668","ObjectType":"File","IpPort":"59417","IpAddress":"fe80::fe:3f96:53e1:fb32","AccessList":"%%4416\n\t\t\t\t","AccessMask":"0x1"},"channel":"Security"}}

Offset: 94 Key: Timestamp: 2026-05-06 04:53:44.991 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2384\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dns.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t172.30.4.206\n\tSource Port:\t\t49236\n\tDestination Address:\t172.30.4.206\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t65787\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"0f1c075edb547330e563fece8a5947b7fa693669229a268e031781c266028a7e","action":"Filtering Platform Connection","created":"2026-05-05T08:14:30.026Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"w2016ad-n25.tdarplatform.csoc","id":"9ca2332f-614b-4da2-897e-35dfbc072591","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:28.411Z","agent":{"name":"w2016ad-n25","id":"16b27c50-d19b-4829-8363-ff3aabf1f846","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1096}},"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","event_id":5156,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"record_id":253527422,"task":"Filtering Platform Connection","event_data":{"Direction":"%%14592","DestPort":"53","DestAddress":"172.30.4.206","SourceAddress":"172.30.4.206","ProcessID":"2384","LayerName":"%%14610","Protocol":"17","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","LayerRTID":"44","Application":"\\device\\harddiskvolume2\\windows\\system32\\dns.exe","FilterRTID":"65787","SourcePort":"49236"},"channel":"Security"}}

Offset: 95 Key: Timestamp: 2026-05-06 04:53:44.991 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::fe:3f96:53e1:fb32\n\tSource Port:\t\t59417\n\tDestination Address:\tfe80::fe:3f96:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"59925aeb66103d6632cd9b500f1854ccfe05fee8a9c783b12eef2d18f8068ecf","action":"Filtering Platform Connection","created":"2026-05-05T08:18:00.902Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:17:59.801Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1968}},"event_id":5156,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","version":1,"record_id":204128598,"task":"Filtering Platform Connection","event_data":{"SourcePort":"59417","DestPort":"445","DestAddress":"fe80::fe:3f96:53e1:fb32","SourceAddress":"fe80::fe:3f96:53e1:fb32","ProcessID":"4","Protocol":"6","LayerName":"%%14611","RemoteMachineID":"S-1-0-0","RemoteUserID":"S-1-0-0","Application":"System","LayerRTID":"50","FilterRTID":"65788","Direction":"%%14593"},"channel":"Security"}}

Offset: 96 Key: Timestamp: 2026-05-06 04:53:44.991 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:14:31.050Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:29.727Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"w2016ad-n25.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1096}},"event_id":4703,"api":"wineventlog","keywords":["Audit Success"],"opcode":"Info","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253527423,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"W2016AD-N25$","TargetUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectUserSid":"S-1-5-18","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 97 Key: Timestamp: 2026-05-06 04:53:44.991 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::fe:3f96:53e1:fb32\n\tSource Port:\t\t59417\n\tDestination Address:\tfe80::fe:3f96:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"59925aeb66103d6632cd9b500f1854ccfe05fee8a9c783b12eef2d18f8068ecf","action":"Filtering Platform Connection","created":"2026-05-05T08:18:00.902Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"platform":"windows","name":"Windows Server 2016 Standard","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:17:59.801Z","agent":{"name":"WIN-MDLQ2GQ94V9","id":"829caaa0-db4b-40b2-8076-11ac1493a97b","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1968}},"event_id":5156,"api":"wineventlog","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","keywords":["Audit Success"],"opcode":"Info","version":1,"record_id":204128599,"task":"Filtering Platform Connection","event_data":{"SourcePort":"59417","DestPort":"445","DestAddress":"fe80::fe:3f96:53e1:fb32","SourceAddress":"fe80::fe:3f96:53e1:fb32","ProcessID":"4","LayerName":"%%14611","Protocol":"6","RemoteMachineID":"S-1-0-0","Application":"System","RemoteUserID":"S-1-0-0","LayerRTID":"50","FilterRTID":"65788","Direction":"%%14593"},"channel":"Security"}}

Offset: 98 Key: Timestamp: 2026-05-06 04:53:44.991 Headers: empty

{"message":"A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tW2016AD-N25$\n\tAccount Domain:\t\tTDARPLATFORM\n\tLogon ID:\t\t0x3E7\n\nProcess Information:\n\tProcess ID:\t\t0x158\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\n\nEnabled Privileges:\n\t\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege\n\nDisabled Privileges:\n\t\t\t-","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"429f9a471e1012249cb9022fdf09eaebc60f1a5dedeed53c40cb621e6908e7a2","action":"Token Right Adjusted Events","created":"2026-05-05T08:14:31.050Z","code":4703,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"9ca2332f-614b-4da2-897e-35dfbc072591","name":"w2016ad-n25.tdarplatform.csoc","hostname":"w2016ad-n25","os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.2430","version":"10.0","kernel":"10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)","family":"windows"},"mac":["00:50:56:bf:9f:79","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"ip":["fe80::cd46:3442:b9b4:26f4","172.30.4.206","fe80::5efe:ac1e:4ce","2001:0:4625:9904:2045:2a14:53e1:fb31","fe80::2045:2a14:53e1:fb31"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:14:29.727Z","agent":{"id":"16b27c50-d19b-4829-8363-ff3aabf1f846","name":"w2016ad-n25","ephemeral_id":"436fbb1d-254b-4868-9ca3-33dd28e8ff2a","hostname":"w2016ad-n25","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"process":{"pid":4,"thread":{"id":1096}},"computer_name":"w2016ad-n25.tdarplatform.csoc","provider_name":"Microsoft-Windows-Security-Auditing","event_id":4703,"api":"wineventlog","opcode":"Info","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_id":253527424,"task":"Token Right Adjusted Events","event_data":{"SubjectUserName":"W2016AD-N25$","TargetUserName":"W2016AD-N25$","ProcessId":"0x158","SubjectDomainName":"TDARPLATFORM","EnabledPrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege","SubjectUserSid":"S-1-5-18","ProcessName":"C:\\Windows\\System32\\svchost.exe","SubjectLogonId":"0x3e7","TargetLogonId":"0x3e7","TargetDomainName":"TDARPLATFORM","DisabledPrivilegeList":"-","TargetUserSid":"S-1-0-0"},"channel":"Security"}}

Offset: 99 Key: Timestamp: 2026-05-06 04:53:44.991 Headers: empty

{"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\tfe80::fe:3f96:53e1:fb32\n\tSource Port:\t\t59417\n\tDestination Address:\tfe80::fe:3f96:53e1:fb32\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t65788\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t50","log":{"level":"information"},"type":"winlogbeat","event":{"provider":"Microsoft-Windows-Security-Auditing","hash":"59925aeb66103d6632cd9b500f1854ccfe05fee8a9c783b12eef2d18f8068ecf","action":"Filtering Platform Connection","created":"2026-05-05T08:18:00.902Z","code":5156,"outcome":"success","kind":"event"},"ecs":{"version":"1.5.0"},"@version":"1","event_type":"windows","host":{"id":"d3fe0a29-15df-481b-ab7d-fd4eb311fbc5","name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","hostname":"WIN-MDLQ2GQ94V9","mac":["00:50:56:bf:cb:a8","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"name":"Windows Server 2016 Standard","platform":"windows","build":"14393.5717","version":"10.0","kernel":"10.0.14393.5717 (rs1_release.230203-1742)","family":"windows"},"ip":["fe80::6c1c:1afd:b16:ecb9","172.30.4.205","fe80::5efe:ac1e:4cd","2001:0:4625:9904:fe:3f96:53e1:fb32","fe80::fe:3f96:53e1:fb32"],"architecture":"x86_64"},"@timestamp":"2026-05-05T08:17:59.802Z","agent":{"id":"829caaa0-db4b-40b2-8076-11ac1493a97b","name":"WIN-MDLQ2GQ94V9","ephemeral_id":"0650b63b-73b4-4557-ba3a-e762f876c508","hostname":"WIN-MDLQ2GQ94V9","version":"7.10.2","type":"winlogbeat"},"tags":["beats_input_codec_plain_applied"],"winlog":{"provider_name":"Microsoft-Windows-Security-Auditing","computer_name":"WIN-MDLQ2GQ94V9.tdarplatform.csoc","process":{"pid":4,"thread":{"id":1968}},"event_id":5156,"api":"wineventlog","keywords":["Audit Success"],"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","version":1,"opcode":"Info","record_id":204128600,"task":"Filtering Platform Connection","event_data":{"SourcePort":"59417","DestPort":"445","DestAddress":"fe80::fe:3f96:53e1:fb32","SourceAddress":"fe80::fe:3f96:53e1:fb32","ProcessID":"4","LayerName":"%%14611","Protocol":"6","RemoteMachineID":"S-1-0-0","Application":"System","LayerRTID":"50","RemoteUserID":"S-1-0-0","FilterRTID":"65788","Direction":"%%14593"},"channel":"Security"}}